Request Method Changing from GET to OPTIONS alone

2

I have the following code:

$(function() {
    $('#method').change(function() {
        var method = $(this).val();
        if (method == 'GET' || method == 'DELETE')
            $('#json-group').hide();
        else
            $('#json-group').show();
    });

    $('#send-button').click(function() {
        var url = $('#url').val()
        var a = document.createElement('a');
        a.href = url;
        var method = $('#method').val();
        if (method == 'GET')
            var data = '';
        else
            var data = $.trim($('#json').val());
        var md5 = data ? CryptoJS.MD5(data).toString(CryptoJS.enc.Base64) : '';
        var date = (new Date()).toUTCString();

        var parts = [method, md5, date, a.pathname].join('\n');
        var hmac = CryptoJS.HmacSHA1(parts, $('#api_secret').val());
        var sig = hmac.toString(CryptoJS.enc.Base64);
        var auth = 'Zopim-Reseller-API ' + $('#api_token').val() + ':' + sig;
        var headers = {'API-Date': date, Authorization: auth};
         $.ajax({
      url: url,
      type: method,
      dataType: 'json',
      success: function() { alert('hello!'); },
      error: function() { alert('boo!'); },
      beforeSend: setHeader
         });

         function setHeader(xhr) {
    xhr.setRequestHeader('Authorization', auth);
    xhr.setRequestHeader('API-Date', date);
  }
    });
});

This code should send a GET request, but in Chrome it tells me the following data:

  

Remote Address: 67.23.229.9: 443
Request   URL: link
Request Method: OPTIONS   
Status Code: 200 OK
Request Headersview source
  Accept: /
Accept-Encoding: gzip, deflate, sdch
  Accept-Language: pt-BR, pt; q = 0.8, en-US; q = 0.6, en; q = 0.4
  Access-Control-Request-Headers: accept, authorization, api-date
  Access-Control-Request-Method: GET
Connection: keep-alive
  Host: reseller.zopim.com
Origin: link

And because of this error:

  

XMLHttpRequest can not load link . Request header field Authorization is not allowed by Access-Control-Allow-Headers.

    
asked by anonymous 13.06.2014 / 22:04

2 answers

2

The problem is Cross-Origin Resource Sharing .

The HTTP protocol considers the following methods as simple requests :

  • GET
  • POST
  • HEAD

The rest, such as OPTIONS , are Preflighted Requests . OPTIONS in particular serves to ensure the security of the request. The data passed to the server determines whether the information is secure or not - if it is, the object is "unzipped" and read in a certain way provided by the [server] itself.

Your dataType , in this case, is json , your method is GET , and you are using a custom header , so your request is "preflighted "- meaning that unless specified on the server, the method will be OPTIONS .

    
20.06.2014 / 17:00
0
What happens is the following, for HTTP request methods that can cause side effects on server data (in particular, for non-GET HTTP methods, or for using GET with certain MIME types), the specification determines that browsers "pre-send" the request, requesting the methods supported by the server with an HTTP OPTIONS request method, and then, after "approval" of the server, send the true request with the effective HTTP request method.

By default browsers do not send HTTP Header Authorization in HTTP OPTIONS, so your server / API must be requiring Authorization for all HTTP Methods and so it fails on the first HTTP OPTIONS request and bar the HTTP GET request.

To correct the problem you must configure your server / API to allow HTTP OPTIONS requests without Header Authorization.

Information from:  - HTTP Access Control (CORS) - HTTP | MDN
 - cors - Authorization header not sent with http request angle 6 with OPTIONS method - Stack Overflow

    
18.10.2018 / 17:05