Greetings,
I am trying to use CORS (http://www.w3.org/TR/2009/WD-cors-20090317/#access-control-allow-methods-header) for an application on Safari, and when I try to read the response headers from the XMLHTTPRequest, I only receive the Content-Type. None of the other quite standard headers gets through, and I cannot figure out how to get this to work.
Anyone would happen to know how to fix this issue? Could this be a WebKit bug?
Edit
here is the config i use with nGinx:
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers Cache-Control,Pragma,Date;
add_header Access-Control-Allow-Methods GET,POST;
In order for headers to be exposes to JS, you need to set the Access-Control-Expose-Headers
header to a comma-separated list of headers you want to expose.
Unfortunately, this header is poorly supported. Mozilla only implemented it in Firefox 4, Webkit as of this moment still does not implement it. I am not sure about IE8 and above (google didn't turn up anything useful, and I don't have them around to test with myself).
(see also eg. Restrictions of XMLHttpRequest's getResponseHeader()? )
Have you verified that your server is actually emitting the Cache-Control, Pragma and Date headers? Perhaps set up a Wireshark trace on the client to see the actual HTTP headers that are being exchanged?
I've been in same situation yesterday. https://stackoverflow.com/users/713326/gijs gave you the right answer but there is another part that is specific to nginx that you have to take care.
"add header" is working only in the case where the response from a service is successful (200, 204, 301, 302 or 304). You have to do a custom build of nginx to include HttpHeadersMoreModule
(http://wiki.nginx.org/HttpHeadersMoreModule). After you have to replace add_header with more_set_headers.
Example:
more_set_headers 'Access-Control-Allow-Origin: $http_origin';
more_set_headers 'Access-Control-Allow-Credentials: false';
more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD, PUT, PATCH, DELETE';
more_set_headers 'Access-Control-Allow-Headers:Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Accept,Authorization;
more_set_headers 'Access-Control-Expose-Headers: Location';
REQUEST:
$.ajax({
url: "http://localhost:8079/students/add/",
type: "POST",
crossDomain: true,
data: JSON.stringify(somejson),
dataType: "json",
success: function (response) {
var resp = JSON.parse(response)
alert(resp.status);
},
error: function (xhr, status) {
alert("error");
}
});
RESPONSE:
response = HttpResponse(json.dumps('{"status" : "success"}'))
response.__setitem__("Content-type", "application/json")
response.__setitem__("Access-Control-Allow-Origin", "*")
return response