AngularJS performs an OPTIONS HTTP request for a cross-origin resource

angularjs cors cross-domain preflight
matsko picture matsko · Aug 24, 2012 · Viewed 270.1k times · Source

I'm trying to setup AngularJS to communicate with a cross-origin resource where the asset host which delivers my template files is on a different domain and therefore the XHR request that angular performs must be cross-domain. I've added the appropriate CORS header to my server for the HTTP request to make this work, but it doesn't seem to work. The problem is that when I inspect the HTTP requests in my browser (chrome) the request sent to the asset file is an OPTIONS request (it should be a GET request).

I'm not sure whether this is a bug in AngularJS or if I need to configure something. From what I understand the XHR wrapper can't make an OPTIONS HTTP request so it looks like the browser is trying to figure out if is "allowed" to download the asset first before it performs the GET request. If this is the case, then do I need to set the CORS header (Access-Control-Allow-Origin: http://asset.host...) with the asset host as well?

Answer

pkozlowski.opensource picture pkozlowski.opensource · Aug 24, 2012

OPTIONS request are by no means an AngularJS bug, this is how Cross-Origin Resource Sharing standard mandates browsers to behave. Please refer to this document: https://developer.mozilla.org/en-US/docs/HTTP_access_control, where in the "Overview" section it says:

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. Additionally, for HTTP request methods that can cause side-effects on user data (in particular; for HTTP methods other than GET, or for POST usage with certain MIME types). The specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.

It is very hard to provide a generic solution that would work for all the WWW servers as setup will vary depending on the server itself and HTTP verbs that you intend to support. I would encourage you to get over this excellent article (http://www.html5rocks.com/en/tutorials/cors/) that has much more details on the exact headers that needs to be sent by a server.

Related questions

No 'Access-Control-Allow-Origin' header is present on the requested resource- AngularJS

XMLHttpRequest cannot load http://mywebservice. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. I get this error when I try to run my web-service from inside my code. I tried …

Read More
Angular POST cross origin error while POSTMAN works

I try to POST from my angular login service: $http.post('https://xyz/login', { headers: { 'Content-type': 'application/json', 'Accept': 'application/json', 'signature': 'asd' } And I get this error: XMLHttpRequest cannot load https://xyz/login. Response to preflight request doesn't pass …

Read More
Restangular crossdomain request. What I do wrong?

I have domain sub.example.com with configured restangular: RestangularProvider.setDefaultHeaders({ 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest' }); RestangularProvider.setDefaultHttpFields({ 'withCredentials': true }); Then I'm building other factory via: return Restangular.withConfig(function(RestangularProvider) { RestangularProvider.setBaseUrl('http://api.example.com'); }); And, obviously, getting …

Read More