Uploaded image for project: 'Magnolia REST Framework'
  1. Magnolia REST Framework
  2. MGNLREST-193

Need configurable preflight OPTIONS filter to avoid No 'Access-Control-Allow-Origin' header error

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Duplicate
    • Neutral
    • None
    • 2.1.1
    • None
    • None
    • Yes

    Description

      As a developer I want Magnolia to accept and correctly respond to CORS 'preflight' 'OPTIONS' requests so that I can actually achieve my headless CMS requirements including (but not limited to) pushing content to Magnolia.

      Currently its not possible (or at least hard) to push content to Magnolia REST endpoints, or delete content, from within a browser as modern browsers enforce CORS security. Another customer mentioned "Outlook performs (don't know the exact reason) an OPTIONS call on the feed URL which is failing as Magnolia requests a login for the OPTIONS call. " There are surely other cases where OPTIONS headers are sent.

       To Reproduce issue

      See instructions in Description of this ticket: https://jira.magnolia-cms.com/browse/MGNLREST-81

      Acceptance Criteria:

      • When my app/website running in a browser makes a request to Magnolia endpoints and sends OPTIONS request, then Magnolia responds correctly to the browser, such that the browser can make the actual request.
      • As a developer I can configure how magnolia responds to OPTIONS requests.
      • Magnolia has a default configuration which accepts OPTIONS requests, or makes it very easy to configure, for example by setting one property in configution. For example it should be configured on this default CORS configuration: https://jira.magnolia-cms.com/browse/MGNLREST-258

      We should provide a basic solution without delay. A further ticket could be created to add further sophistication.

       

      Resources

      Please see comments below and comments on linked ticket MGNLREST-81and Patch from amanzoni. https://git.magnolia-cms.com/projects/SERVICES/repos/rest/commits/0f42ac3ab288ee94116f772994056dbbb2516f60

       

      CORS OPTIONS Details

      https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

      https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS

       

      Previous Description: (Still relevant)

      Customers are facing blocking issue when using Angular 6 accessing HeadLess bundle because of below error:
      XMLHttpRequest cannot load http://localhost:8080/mpl/.rest/mplWebsite/myphx/home. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 403.*
      I've tried also and getting the same issue. Please find in ticket comment a temporarily filter, please fix it for configurable and production grade.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                Unassigned Unassigned
                viet.nguyen Viet Nguyen
                Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoD