0

I have the following system.components middleware config, in which I'm using the ring.middleware wrap-cors, to allow for redirects to an external server:

(defn config []
  {:http-port  (Integer. (or (env :port) 5000))
   :middleware [[wrap-defaults api-defaults]
                wrap-with-logger
                wrap-gzip
                ignore-trailing-slash
                [wrap-reload {:dir "../../src"}]
                [wrap-trace :header :ui]
                wrap-params
                wrap-keyword-params
                wrap-cookies
                [wrap-cors :access-control-allow-headers #{"accept"
                                                            "accept-encoding"
                                                            "accept-language"
                                                            "authorization"
                                                            "content-type"
                                                           "origin"}
                 :access-control-allow-origin [#"https://some-url"]
                 :access-control-allow-methods [:delete :get
                                                :patch :post :put]]
                ]})

And this is supposed to insert headers into every response. But instead, on a request from the client which leads to a redirect to https://some-url, I get the following error in the client browser:

Access to XMLHttpRequest at 'https://someurl' (redirected from 'http://localhost:5000/some-uri') from origin 'http://localhost:5000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Why aren't the correct headers in the response despite adding the middleware?

-- EDIT --

I've also tried the [jumblerg.middleware.cors] wrap-cors middleware like so:

(defn config []
  {:http-port  (Integer. (or (env :port) 5000))
   :middleware [[wrap-defaults api-defaults]
                wrap-with-logger
                wrap-gzip
                ignore-trailing-slash
                [wrap-reload {:dir "../../src"}]
                [wrap-trace :header :ui]
                wrap-params
                wrap-keyword-params
                wrap-cookies
                [wrap-cors #".*"]
                ]})

And have added the headers using liberator like so:

(defresource some-route [redirect-uri]
  :available-media-types ["application/json"]
  :allowed-methods [:post]
  :post-redirect? true
  :as-response (fn [d ctx]
                 ;; added headers
                 (-> (as-response d ctx)
                     (assoc-in [:headers "Access-Control-Allow-Origin"] "*")
                     (assoc-in [:headers "Access-Control-Allow-Headers"] "Content-Type")
                     )

                 )
   ;; redirect uri
  :location redirect-uri

  )

But still get the ````No 'Access-Control-Allow-Origin' header is present on the requested resource.``` error

zengod
  • 1,114
  • 13
  • 26

1 Answers1

1

Try this library to (wrap-cors): [jumblerg/ring-cors "2.0.0"]

like this: (wrap-cors your-routes identity)

Note the third parameter is a function to determine if an origin is allowed (or a list of reg exp)

You might have to add a manual route though:

(OPTIONS "/yourendpoint" req {:headers {"Access-Control-Allow-Headers" "*"}})

Jochen Bedersdorfer
  • 4,093
  • 24
  • 26
  • I tried this library too and manually added the headers (see edit) but still no headers in response. – zengod Mar 05 '20 at 09:59
  • CORS is tricky. Your best bet is to use a tool like curl or http or Postman to see the actual URLs being requested and the HTTP headers exchanged. Then add debug println to your ring routes. I'm not familliar with liberator and don't know how to do that. – Jochen Bedersdorfer Mar 05 '20 at 16:47
  • Even without liberator, the browser says that Access-Control-Allow-Origin isn't present even though it is in the response: https://stackoverflow.com/questions/60681757/browser-says-access-control-allow-origin-header-not-present-in-clojure-ring?noredirect=1#comment107361884_60681757 – zengod Mar 14 '20 at 12:09