DF2: CORS / No 'Access-Control-Allow-Origin' header is present

Authentication & Security
1

I have the following setup:
DF2 Installed from Bitnami.
Admin Application Version: 2.0.6
DreamFactory Version: 2.0.3

DB Service: Link to a MySQL DB
FIles Service: Link to Amazon S3 File Storage

When trying to retrieve a file, I get the error:
No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://127.0.0.1:49806’ is therefore not allowed access.

And my CORS is enabled as:
Origin: *
Paths: api/v2/*
Headers: *
Max Age: 0
For all the verbs (GET, POST…)

Please tell me what I’m doing wrong?

2

Hi,

I think this is a new bug, After updating from ver 2.0.1 to 2.0.4 I have the same issue. The problem is that it does it 3 times out of 5.
This is what I get in the login request:

XMLHttpRequest cannot load http://v2.amicido.it:8080/api/v2/user/session. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://localhost’ is therefore not allowed access.

If I repeat the call it works.
The CORS setup is setup to allow everything

502×642 11.9 KB

If I roll back to v 2.0.1 it works properly.
I have filed a bug-fix request here.

3

I am also facing the same issue when trying to get image from Amazon S3 using Angular js SDK.
But login is working fine in my case and also get image is working fine if i use POSTMAN rest client.
My dreamfactory version is 2.0.2.

Have you found any solution?

4

Was this fixed for you guys in version 2.1?

5

This is happening because of the CORS (Cross Origin Resource Sharing) . For every HTTP request to a domain, the browser attaches any HTTP cookies associated with that domain. This is especially useful for authentication, and setting sessions. You are doing an XMLHttpRequest to a different domain than your page is on. So the browser is blocking it as it usually allows a request in the same origin for security reasons. You need to do something different when you want to do a cross-domain request.

JSONP ( JSON with Padding ) is a method commonly used to bypass the cross-domain policies in web browsers. You’re on domain example.com , and you want to make a request to domain example.nett . To do so, you need to cross domain boundaries. JSONP is really a simple trick to overcome the XMLHttpRequest same domain policy. So, instead of using XMLHttpRequest we have to use < script > HTML tags, the ones you usually use to load JavaScript files , in order for JavaScript to get data from another domain.

Localhost

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999