0

I'm working on a project using node.js and express.js on server side, and angular.js on client side. I've set up authentication on server side using passport.js. So when I login the session cookie is set up and I can access the api via browser with no problem. But when I try to request the url of the api in angular.js with http, I get "cors blocked" (yeah, I made that up). Server allows credentials, client sends withCredentials: true. What is the problem?

Funny thing is server and client are not even in different domains. They are both in localhost. But since server "cors blocked" me in the very beginning, I've enabled cors.

So I have server and client in the same domain. Corse is enabled in server and I still can't send my cookies.

Response Headers
Access-Control-Allow-Orig...    *
Connection  keep-alive
Content-Length  33101
Content-Type    application/json
Date    Sun, 18 May 2014 15:02:41 GMT
Etag    "-796401813"
X-Powered-By    Express
access-control-allow-cred...    true
Request Headers
Accept  application/json, text/plain, */*
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Cookie  prgck=s%3AGb1ZXuD0uXHoBbFWIcrmkSFt.%2BNt0pdVa1%2BNhUNITAPOzPjmQxklPpDrdvQz%2BACj084o
Host    localhost:1212
Origin  http://localhost:8000
Referer http://localhost:8000/app/
User-Agent  Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
Improve this question
7
  • The reason it is a CORS request is because of different ports. It's not just the hostname/domain that can cause this. Commented May 18, 2014 at 15:16
  • It may also be worth posting the relevant Express code you're using. Commented May 18, 2014 at 15:21
  • There isn't much on the Express code. It's a simple route that sends data from mongodb. It works fine with authentication if I reach the api via browser (e.g. localhost/api/get). If I turn off withCredentials in angular http request, I get 401 as expected. If I disable authentication everything works perfect. So the "cors block" only happens if I try to send cookies with the request. Commented May 18, 2014 at 15:38
  • How are you using the cors middleware? Are you simply using the defaults with app.use(cors()); or are you specifying options or ? Commented May 18, 2014 at 16:12
  • Also, is the http request you've shown above an OPTIONS or other type of request? Commented May 18, 2014 at 16:13

1 Answer 1

Reset to default
1

It is not clear what you did on your Express server, but looking at the headers you posted it seems you enabled Access-Control-Allow-Credentials but you did not define the Access-Control-Allow-Origin.

This latter is necessary to actually enable CORS. So your Express server must set both:

Access-Control-Allow-Origin: http://my.domain.com:8080
Access-Control-Allow-Credentials: true;
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

As I stated in above comments; normally, everything works fine between the client and the server. The cors error happens only if I turn on withCredientials on the client side. I am using cors middleware here to allow cross domain requests.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.