{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 冷血范 的问题《POST succeeds on server but results in CORS error》','https://www.manongdao.com/q-173431.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I do an HTTP POST request to the microsoft login to get an access token to use with the mail API, the request succeeds but the code goes to the error clause of my code.
requestAccessToken(code: string)
{
console.log("request access token");
if (code) {
var headers = new Headers();
headers.append("Content-Type", 'application/x-www-form-urlencoded');
headers.append('Accept', 'application/json');
var requestoptions = new RequestOptions({
headers: headers
});
var body = `grant_type=authorization_code&
redirect_uri=http://localhost:4200&
code=`+ code + `&
client_id=4e[................]5ab&
client_secret=CE[..............]BC`;
this.http.post("https://login.microsoftonline.com/common/oauth2/v2.0/token", body, requestoptions).map((res: Response) =>
{
console.log("response given");
const data = res.json();
}).subscribe( (data) => {
console.log("The data is = " + data);
}, error => {
console.log("The error is = " + error)
});
}
The browser console shows this: XMLHttpRequest cannot load https://login.microsoftonline.com/common/oauth2/v2.0/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. zone.js:2019 XHR failed loading: POST "https://login.microsoftonline.com/common/oauth2/v2.0/token". outlook.service.ts:96 The error is = Response with status: 0 for URL: null
here's a screenshot to show it better
Now the real problem is that my request succeeds as shown below:
and the response shows my access token. So why cannot I get it from code? Why does it go the error-clause.
You already tagged your post correctly with "cors". Modern browsers does not allow accessing endpoints across domains, unless the endpoint sends cors-headers which allows you to access it.
If you check your network tab, there should be an OPTIONS-request to https://login.microsoftonline.com/common/oauth2/v2.0/token. This s called he preflight-request, which checks for Access-Control-Allow-Origin and Access-Control-Allow-Methods headers. Access-Control-Allow-Origin must contain your domain or *, and Control-Allow-Methods must contain POST or *.
I'm not familiar with the office apis, but i think there must be a way to configure your app as an valid endpoint. Perhaps this post will help you: https://msdn.microsoft.com/en-us/office/office365/howto/create-web-apps-using-cors-to-access-files-in-office-365
What you’re seeing is expected behavior when sending a cross-origin
POSTto a server that doesn’t include theAccess-Control-Allow-Originresponse header in its response.Specifically, as long as your cross-origin request has no characteristics that will cause your browser to do a preflight
OPTIONSrequest before doing yourPOSTrequest (which your request doesn’t) then thePOSTrequest will succeed on the server side—but, because the response from the server to thatPOSTrequest doesn’t include theAccess-Control-Allow-Originresponse header, your browser blocks your frontend code from being able to actually see the response the server sends.However, if you open browser devtools you can still see the response there. But just because the browser received the response and you can see it in devtools, it doesn’t mean the browser will expose the response to your code. It’ll only expose it when it has
Access-Control-Allow-Origin.That all may seem counter-intuitive but it all makes sense if you remember that the browser is the only point at which cross-origin restrictions are enforced. Servers don’t block cross-origin requests.
When the server you’re sending that
POSTrequest to receives the request, it doesn’t check the origin to decide whether to respond. The server just accepts thePOSTrequest and processes it and then sends a response. But then the browser blocks your code from access to that response.But it’s also important to remember that the browser doesn’t block your code from sending that
POSTrequest cross-origin. Browsers only block cross-origin requests from being sent when the requests have qualities (like special headers) that trigger the browser to do a preflight.So since your
POSTrequest isn’t one that triggers a preflight, the browser sends it and it succeeds.For the sake of comparison, consider what happens for cross-origin
GETrequests. In that case too, as long at theGETrequest isn’t one that triggers a preflight, the browser doesn’t refuse to send it cross-origin. Instead, the browser sends the request to the server, regardless. And the server receives thatGETrequest and sends a response.It’s only when that response comes back to the browser that something different happens—because again, in that case, if the response doesn’t include the
Access-Control-Allow-Originresponse header, then your browser won’t allow your frontend JavaScript code to access it.But obviously since the entire point of making a
GETrequest is to do something with the response, then in that case if your code can’t access the response, that’s a hard, total failure—in contrast to the case of thePOSTrequest, where the request body does actually still get posted as expected, but you just don’t have a way for your code to check the response to see if the request succeeded.