3

I am really out of knowledge here; I searched GitHub, Google and StackOverflow to an extreme extend on this issue with no resolution.

I have a Angular Fullstack Generator App. This is build as follows:

Node -> Express -> Angular

I am doing nothing out of the ordinary here; my app runs perfectly fine on my development machine in my home. Yet, as soon as I build it, minify it and start it on my server in the Internet via node instead of grunt; I am seeing the html rendered, the css loaded, yet when trying to authenticate (I am using express-jwt for this); I am getting CROSS Domain Origin Problems all over the board.

I am using the CORS Module on npm; that is that one that does not require any setup in order to let everything through, so dont mark this question a duplicate, it is not; i can assure you!

These is how my app.js on my server side basically is constructed:

var express = require('express');
var app     = express();
var config  = require('./config/environment');
var cors    = require('cors');
var server  = require('http').createServer(app);

require('./config/express')(app);
require('./routes')(app);
require('./config/passport')(passport); 

app.use(cors());
app.options('*', cors()); 

require('./routes')(app, passport);

server.listen(config.port, config.ip, function () {
  console.log('Express server listening on %d, in %s mode', config.port, app.get('env'));
});

exports = module.exports = app;

This is what my browser is showing me:

Cross-Origin-Request blocked: The Same-Origin-Policy....

I do not understand - I am not x-origin requesting anything at all. All the resources are residing on my server. All requests come from one single Browser.

You can see in the response headers:

 access-control-allow-origin: *

Then when signin in an OPTIONS request is send to localhost instead of the FQDN and immediately aborted in red letters.

Stephan Kristyn
  • 15,015
  • 14
  • 88
  • 147
  • 1
    If everything is residing in the same domain then you don't really need to use any CORS middleware. Make sure it is the same protocol: http and https is considered cross domain origin. Without seeing actual request response it's hard to tell, can you capture your request? – Tomas Kirda Feb 17 '15 at 00:37
  • 1
    If I try this is actually hitting http://localhost:8080/user/signin, that explains everything. Take a look at chrome dev tools network tab. – Tomas Kirda Feb 17 '15 at 01:02
  • Yes - I am seeing that as well (using Firebug network tab). Do you have any idea how to fix the issue? a) Why is CORS not working; see the headers: it is enabled with a Asterix Symbol `*` ? b) Where should I tune my app in order to make the localhost:8080 go away? Express is listeneing on localhost and nginx is proxy forwarding all requests to localhost. – Stephan Kristyn Feb 17 '15 at 01:31
  • Ok, I managed to remove the localhost from my app. I was on the angular side. But now I am still seeing the CORS Error Warning in Firebug. I still not understand. – Stephan Kristyn Feb 17 '15 at 02:54

1 Answers1

1

Cors must be invoked before the routes. This is how I got rid of all CROSS Domain Origin problems once an for all:

var cors    = require('cors');

app.use(cors());
app.options('*', cors()); 

require('./routes')(app);
Stephan Kristyn
  • 15,015
  • 14
  • 88
  • 147