Did I implement CORS at the wrong place?

by SWiggels   Last Updated May 28, 2018 11:00 AM

I have problem concerning CORS. I always get rejected from a clients api (Console error at the end of article). Now I'm wondering if its my fault at all. I hope to find the gap with your help.

I got the following setup:

In my responsibility: domain-a.com: NGINX ------ ANGULAR frontend ------ SpringBoot backend

In the clients responsibility: domain-b.com: /adrstep.json

domain-b.com serves a JSON when calling GET on /adrstep.json. This works perfectly fine when called directly from a browser.

In the angular part I call domain-a.com/adrstep/adrstep.json this gets rewritten in NGINX to domain-b.com/adrstep.json. This is what I get in Chrome:

From CHROME NETWORK tab:

Request from browser to NGINX:

GENERAL:
Request URL: https://domain-a.com/adrsteps/adrstep.json
Request Method: GET
Status Code: 302 Moved Temporarily
Remote Address: 212.25.3.166:443
Referrer Policy: no-referrer-when-downgrade

RESPONSE HEADER:
HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html
Connection: keep-alive
Location: https://domain-b.com
Access-Control-Allow-Origin: https://domain-b.com
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With

REQUEST HEADER:
GET /adrsteps/adrstep.json HTTP/1.1
Host: domain-a.com
Connection: keep-alive
Accept: application/json, text/plain, */*
Content-Type: application/json
Referer: https://domain-a.com
Accept-Encoding: gzip, deflate, br

Redirected request from NGINX to api on domain-b.com:

GENERAL
Request URL: https://domain-b.com/adrstep.json
Request Method: OPTIONS
Status Code: 200 OK
Remote Address: 193.246.69.8:443
Referrer Policy: no-referrer-when-downgrade

RESPONSE HEADER
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Status: 200 OK
Age: 0
Strict-Transport-Security: max-age=86400; includeSubdomains
X-Frame-Options: SAMEORIGIN
Frame-Options: SAMEORIGIN

REQUEST HEADER
OPTIONS /adrstep.json HTTP/1.1
Host: domain-b.com
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: https://domain-a.com
Access-Control-Request-Headers: authorization,content-type,x-requested-with
Accept: */*
Accept-Encoding: gzip, deflate, br

NGINX config:

location /adrsteps/ {
    add_header 'Access-Control-Allow-Origin' 'https://domain-b.com' always;
    add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,...
    rewrite ^(\/adrsteps\/) https://domain-b.com/adrsteps.json$2 break;
    proxy_redirect     off;
}

Browser console error:

Failed to load https://domain-b.com/adrsteps.json?: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://domain-a.com' is therefore not allowed access.

Has anyone an idea where the problem may be? I clearly can see the Access-Control-Allow-Origin in my request header... Thanks in advance.

Tags : nginx cors


Related Questions


How Can I Enable CORS on NGINX?

Updated April 06, 2015 21:00 PM

How do I add Access-Control-Allow-Origin in NGINX?

Updated January 04, 2016 14:00 PM