Answer the question
In order to leave comments, you need to log in
E
E
evgeny802015-09-22 19:49:19
evgeny80, 2015-09-22 19:49:19
Why don't api.ok.ru send Access-Control-Allow-Credentials in the response header?
From an external site, after successful OAuth authorization in classmates, I send a request to the REST API (users.getCurrentUser method) and get an error in the browser
XMLHttpRequest cannot load api.ok.ru/fb.do ?.....
Response to preflight request doesn't pass access control check: Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials. Origin ' mydomain ' is therefore not allowed access.
response headers
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: mydomain
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length: 0
Date: Tue, 22 Sep 2015 16:18:09 GMT
Connection: close
Request headers
...
Access-Control-Request-Headers:accept, access-control-allow-origin
Access-Control-Request-Method:GET
Connection:keep-alive
Host:api.ok.ru
Origin:http://mydomain
.. .
I didn’t find anything in the documentation and the Internet, so I turn to the developers or those who have already encountered this, please explain what needs to be done so that cross-domain requests to api work out normally?
2 answer(s)
@evgeny80
E
evgeny80, 2015-09-23 @evgeny80
Problem solved. As it turned out, the request had to be sent with the withCredentials parameter, only set to false and not send any access-control-allow values in the header.
PS: Apparently this was introduced not so long ago, because a week ago requests were processed without this parameter. In this regard, again a BIG question to the developers and documentation. How do you even work like that???
Similar questions
S
T
V
R
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question