Why don't api.ok.ru send Access-Control-Allow-Credentials in the response header?

E

evgeny802015-09-22 19:49:19

JavaScript

evgeny80, 2015-09-22 19:49:19

From an external site, after successful OAuth authorization in classmates, I send a request to the REST API (users.getCurrentUser method) and get an error in the browser

XMLHttpRequest cannot load api.ok.ru/fb.do ?.....
Response to preflight request doesn't pass access control check: Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials. Origin ' mydomain ' is therefore not allowed access.

response headers

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: mydomain
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length: 0
Date: Tue, 22 Sep 2015 16:18:09 GMT
Connection: close

Request headers

...
Access-Control-Request-Headers:accept, access-control-allow-origin
Access-Control-Request-Method:GET
Connection:keep-alive
Host:api.ok.ru
Origin:http://mydomain
.. .

I didn’t find anything in the documentation and the Internet, so I turn to the developers or those who have already encountered this, please explain what needs to be done so that cross-domain requests to api work out normally?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

E

evgeny80, 2015-09-23
@evgeny80

Problem solved. As it turned out, the request had to be sent with the withCredentials parameter, only set to false and not send any access-control-allow values in the header.
PS: Apparently this was introduced not so long ago, because a week ago requests were processed without this parameter. In this regard, again a BIG question to the developers and documentation. How do you even work like that???

@

@GTimer, 2015-09-23
_

Apparently the request is made using XMLHttpRequest and with the withCredentials=true parameter set.
Setting the withCredentials=true parameter is redundant.