link411 link412 link413 link414 link415 link416 link417 link418 link419 link420 link421 link422 link423 link424 link425 link426 link427 link428 link429 link430 link431 link432 link433 link434 link435 link436 link437 link438 link439 link440 link441 link442 link443 link444 link445 link446 link447 link448 link449 link450 link451 link452 link453 link454 link455 link456 link457 link458 link459 link460 link461 link462 link463 link464 link465 link466 link467 link468 link469 link470 link471 link472 link473 link474 link475 link476 link477 link478 link479 link480 link481 link482 link483 link484 link485 link486 link487 link488 link489 link490 link491 link492 link493 link494 link495 link496 link497 link498 link499 link500 link501 link502 link503 link504 link505 link506 link507 link508 link509 link510 link511 link512 link513 link514 link515 link516 link517 link518 link519 link520 link521 link522 link523 link524 link525 link526 link527 link528 link529 link530 link531 link532 link533 link534 link535 link536 link537 link538 link539 link540 link541 link542 link543 link544 link545 link546 link547

[Vue.js] CORS Post Request Fails

I built an API with the SLIM Micro-Framework. I setup some middleware that adds the CORS headers using the following code.

class Cors{

public function __invoke(Request $request, Response $response, $next){

$response = $next($request, $response);
return $response
->withHeader(‘Access-Control-Allow-Origin’, ‘http://mysite')
->withHeader(‘Access-Control-Allow-Headers’, ‘X-Requested-With, Content-Type, Accept, Origin, Authorization’)
->withHeader(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS’);


For my front-end, I used VueJS. I setup VueResource and created a function with the following code.

register (context, email, password) {
url: ‘api/auth/register’,
method: ‘POST’,
data: {
email: email,
password: password
}).then(response => {
context.success = true
}, response => {
context.response =
context.error = true

In chrome, the following error is logged to the console.

XMLHttpRequest cannot load http://mysite:9800/api/auth/register. Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://mysite' is therefore not allowed access.

Oddly enough, GET requests work perfectly.

Solution :

You half 1/2 the solution here.

What you are missing is an OPTIONS route where these headers need to be added as well.

$app->options(‘/{routes:.+}’, function ($request, $response, $args) {
return $response
->withHeader(‘Access-Control-Allow-Origin’, ‘http://mysite')
->withHeader(‘Access-Control-Allow-Headers’, ‘X-Requested-With, Content-Type, Accept, Origin, Authorization’)
->withHeader(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS’);

Solution 2:

Actually CORS is implemented at browser level. and Even with

return $response
->withHeader(‘Access-Control-Allow-Origin’, ‘http://mysite')
->withHeader(‘Access-Control-Allow-Headers’, ‘X-Requested-With, Content-Type, Accept, Origin, Authorization’)
->withHeader(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS’);

chrome and Mozilla will not set headers to allow cross origin. So, you need forcefully disable that..

Read more about disabling CORS

Disable same origin policy in Chrome

Solution 3:

This happens because preflight request is of OPTIONS type. You need to make an event listener on the request, which checks the type and sends a response with needed headers.

Unfortunately i don’t know Slim framework, but here’s the working example in Symfony.

First the headers example to be returned:

// Headers allowed to be returned.
const ALLOWED_HEADERS = [‘Authorization’, ‘Origin’, ‘Content-Type’, ‘Content-Length’, ‘Accept’];

And in the request listener, there’s a onKernelRequest method that watches all requests that are coming in:

* @param GetResponseEvent $event
public function onKernelRequest(GetResponseEvent $event)
// Don’t do anything if it’s not the master request
if (!$event->isMasterRequest()) {

// Catch all pre-request events
if ($event->getRequest()->isMethod(‘OPTIONS’)) {
$router = $this->container->get(‘router’);
$pathInfo = $event->getRequest()->getPathInfo();

$response = new Response();
$response->headers->set(‘Access-Control-Allow-Origin’, $event->getRequest()->headers->get(‘Origin’));
$response->headers->set(‘Access-Control-Allow-Methods’, $this->getAllowedMethods($router, $pathInfo));
$response->headers->set(‘Access-Control-Allow-Headers’, implode(‘, ‘, self::ALLOWED_HEADERS));
$response->headers->set(‘Access-Control-Expose-Headers’, implode(‘, ‘, self::ALLOWED_HEADERS));
$response->headers->set(‘Access-Control-Allow-Credentials’, ‘true’);
$response->headers->set(‘Access-Control-Max-Age’, 60 * 60 * 24);

Here i just reproduce the Origin (all domains are allowed to request the resource, you should probably change it to the domain).
Hope it will give some glues.

Solution 4:

CORS can be hard to config. The key is that you need to set the special headers in the server and the client, and I don’t see any vue.js headers set, besides as far as I know http is not a function. However here is some setup for a post request.

const data = {
email: email,
password: password
const options = {
headers: {
‘Access-Control-Expose-Headers’: // all of the headers,
‘Access-Control-Allow-Origin’: ‘*‘
}‘api/auth/register’, JSON.stringify(data), options).then(response => {
// success
}, response => {
// error

Notice that you need to stringify the data and you need to expose the headers, usually including the Access-Control-Allow-Origin header.
What I did in one of my own apps was to define interceptors so I don’t worry to set headers for every request.

Vue.http.headers.common[‘Access-Control-Expose-Headers’] = ‘Origin, X-Requested-With, Content-Type, Accept, x-session-token, timeout, Content-Length, location, *‘
Vue.http.headers.common[‘Access-Control-Allow-Origin’] = ‘*‘