8

I'm consuming an API using fetch but i'm getting CORS error. I tried multiples headers, but I'm not understading what's the problem.

I'm not the owner of the API, so I couldn't change it, but checking the response it's returning access-control-allow-origin.

Following is my request method:

export const execPOST = (url, body) => {
  return fetch(url, {
    method: "POST",
    headers: {
      "Access-Control-Allow-Origin": "*",
      "Content-Type": "application/json"
    },
    body: JSON.stringify(body)
  });
};

The response is:

Request URL: http://api
Request Method: OPTIONS
Status Code: 405 Method Not Allowed
Remote Address: ip
Referrer Policy: no-referrer-when-downgrade
Response Headers:
Access-Control-Allow-Origin: *

Isn't this response above enough to allow my request?

console error:

OPTIONS http://api net::ERR_ABORTED 405 (Method Not Allowed) Access to fetch at 'http://api' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

I got this working (meanwhile I develop) using "https://cors-anywhere.herokuapp.com/", but I don't think that I should use this for production enviroment.

I found a lot of material about this problem, but nothing that worked besides implements a backend to make the request or use something else as a proxy to make the request and so on...

Improve this question
9
  • 1
    What makes you say you are getting a CORS error?... Apparently the error is because the endpoint you are targeting does not allow the method. Can you try using a rest client to debug? Commented May 9, 2019 at 21:14
  • I edited my question adding chrome console log. Using postman or soapui it works Commented May 9, 2019 at 21:21
  • The API isn't responding to OPTIONS requests (otherwise known as preflights.) To avoid preflights, do not set custom headers. Commented May 9, 2019 at 21:27
  • 1
    I think you're just out of luck then. Commented May 9, 2019 at 21:33
  • 2
    Setting the Access-Control-Allow-Origin header in your request makes no sense...this is a header the server sets to indicate whether you are allowed to access the URL via a cross-domain request or not. It's an essential part of CORS security. If the requestor could set the header to whatever they wanted then clearly it would not provide any security Commented May 9, 2019 at 21:40

2 Answers 2

Reset to default
10

Update code as given below (use 'mode' with the value 'no-cors' ):

For more details follow the link => https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch

export const execPOST = (url: string, body: any) => {
  return fetch(url, {
    mode: 'no-cors',
    method: 'POST',
    headers: {
      'Content-Type': 'application/json'
    },
    body: JSON.stringify(body)
  });
};
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

no, it is not correct, no-cors value cannot work simultaneously with 'application/json' developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch
@Panos Although the documentation does say that, I am able to send json data with no-cors on Google Chrome. Weirdly, if I set mode to cors, it complains about CORS issue
4

CORS headers are set by the API to protect users from malicious code making requests to sites on their behalf.

This means that you cannot enable or disable it from the client side as the Access-Control-Allow-Origin header is a server side only header.

If you don't have access to the API to change the headers then you won't be able to use the API from the client side.

In production you would have to create your own API that will handle the requests to the API you are trying to contact.

Improve this answer

6 Comments

This means that you cannot disable it from the client side Can I suggest amending this line to say "enable or disable".
If you don't have access to the API to change the headers then you won't be able to use the api. This isn't quite true; CORS only applies to browser requests. A proxying API endpoint on the hosting server isn't bound by CORS rules.
Thanks @Amy, I've updated it to mention the client side
Thanks for your reply. Like I posted in my question, the server is already returning "Access-Control-Allow-Origin". Isn't this enough to client-side request to work?
From the error message it's likely that the server hasn't implemented a response to the preflight OPTIONS request, meaning that you get method not allowed and a CORS error. Either way it is not something you can fix if you can't make changes to the server. You will have to implement a backend solution to proxy the requests to the API.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.