Cors Blocks Request with status 403 on Nginx

Asked 9/6, 2014 at 11:51 Answered 28/9, 2015 at 4:8

I am facing a strange issue with running CORS on Nginx, CORS is working fine for everything but one scenario when the Server responds with a 403 http response.

Basically when I login with correct credentials the cors request works fine , however when I provide wrong credentials for login the server(backend) responds with a 403 status and I get the following error "NetworkError: 403 Forbidden - http://mydomain.com/v1/login" login Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://mydomain.com/v1/login. This can be fixed by moving the resource to the same domain or enabling CORS. If the credentials are correct I don't get this error and everything works perfectly.

I have done the configuration for enabling CORS and it seems to be working fine for everything else.

Following are the Request Headers

Request Headers User-Agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 Referer:http://abc.mydomain.com/ Pragma: no-cache Origin: http://abc.mydomain.com Host: www.mydomain.com Content-Type: application/json;charset=utf-8 Content-Length: 74 Connection: keep-alive Cache-Control: no-cache Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Accept: application/json, text/plain, / Response Headers Server: nginx/1.4.1 Date: Tue, 10 Jun 2014 05:28:30 GMT Content-Type: application/json; charset=utf-8 Content-Length: 76 Connection: keep-alive

Bedeck answered 9/6, 2014 at 11:51 Comment(5)

maybe pasting request and response headers will help to answer your question – Frydman 9/6, 2014 at 16:37

@Frydman I have updated the post with Request and Response Headers – Bedeck 10/6, 2014 at 5:35

It does not look like a problem, RESTFUL API means that if you input wrong credentials it would responds with 403, as it is supposed to. – Frydman 10/6, 2014 at 18:0

@Frydman absolutely , problem is that when Server responds with a 403 , I start getting a CORS error on the firebug console. – Bedeck 11/6, 2014 at 7:16

there is no CORS related header in headers pasted. – Frydman 11/6, 2014 at 12:31

An option for nginx(>=1.75) is to specify always parameter in add_header :

If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.

Saturn answered 28/9, 2015 at 4:8 Comment(0)

I assume that you are using add_header directive to add CORS headers in the nginx configuration.

Nginx modules reference states about add_header:

Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.

To fix problem you could use ngx_headers_more module to set CORS headers also to error responses.

more_set_headers 'Access-Control-Allow-Origin: $http_origin';

more_set_headers 'Access-Control-Allow-Headers: Content-Type, Origin, Accept, Cookie';

Chacha answered 16/9, 2014 at 9:14 Comment(0)

Recommended topics

Hot tags