Refused to get unsafe header "Location"

Asked 8/10, 2011 at 22:23 Answered 9/12, 2016 at 1:47

php javascript ajax google-closure cross-domain-policy

I have a website and my REST api server.

I do ajax post request to the REST server to create new model. Answer for this request will be "HTTP/1.1 201 Created" response with header "Location: http://myapi.com/some/path/111" But I get error message Refused to get unsafe header "Location". I know that this is because of cross domain access policy and other bla bla bla.

Does anybody knows how to fix it? Maybe I have to add "Access-Controll-Allow-SOMETHINGHERE" header to the response?

UPD:

Web site URL http://www.mydomain.com/

Original URI is http://api.mydomain.com/model/ and new Location URI is http://api.mydomain.com/model/211

Original URI is used for ajax POST request, which responses with new Location header.

Susy answered 8/10, 2011 at 22:23 Comment(1)

What is the original URL and what is the new Location URL? – Knighterrantry 8/10, 2011 at 22:26

It's because Location header is not exposed to calling client (in this case your ajax code) by default (it's 'unsafe'). To expose it you have to return additional header:

Access-Control-Expose-Headers: Location

This way browser will expose it, so the client can read it. You can add there multiple comma separated headers. More about it here. Here you can read which methods, headers & content types are safe (simple) and don't require any additional configuration.

Paphlagonia answered 21/7, 2014 at 6:38 Comment(3)

Can you display this in the full code? – Cyano 4/11, 2021 at 21:45

@EvanErickson it depends what backend language you use. For java when using Servlet Filter you can use HttpServletResponse.setHeader("Access-Control-Expose-Headers", "Location"); In PHP I believe you could use header('Access-Control-Expose-Headers: Location'); However I don't recommend such manual approach. You should be using a complete component which adds support for CORS in your app and allows configuration of allowed methods / headers (for Java: github.com/…) – Paphlagonia 28/11, 2021 at 18:22

Yeah, unfortunately no one told BlueSnap that. That company has a credit card api which requires you to get a response from the location headers... Why they didn't put the payload in the body of the response I will never know. They want you to parse a header. Terrible company. – Cyano 30/11, 2021 at 5:12

For Amazon S3 uploads (via Dropzone for instance) you need this in your CORS configuration.

<ExposeHeader>location</ExposeHeader>

Benson answered 9/12, 2016 at 1:47 Comment(0)

I'd just work around it, either by returning the new location as a value from the call or having the client code know where the newly created item is stored.

Another option is to create a proxy for the calls on the original domain.

Josejosee answered 8/10, 2011 at 23:7 Comment(0)

header Location: http://myapi.com/some/path/111"

That piece of code is completely wrong. Use it correct, or almost corret.

Try this:

header("Location: http://myapi.com/some/path/111");

header("Location: http://myapi.com/some/path/111"); exit();

If this not work, let me know :-)

Protract answered 8/10, 2011 at 23:16 Comment(1)

Thanks Stian, but I know how to add Location header with PHP. The problem is in cross domain policy or something like this. I get error Refused to get unsafe header “Location” in browser console, instead of going by new URI. – Susy 9/10, 2011 at 9:0

Recommended topics

Hot tags