Hi dear Xojo-community!
My question is about handling cross-origin HTTP requests in Xojo WebApplications:
For our project we have used an extended Version of the LUNA Webservice. Worked really great!! We use it as a webservice for requests coming from a few android-devices from which our app sends RESTful methods. Until now, they sended simple Webrequest, without using preflight wegrequests. Handling them was no problem. But since the last uupdate occured on the devices, the apps are now using CORS-HTTP-Requests. Now the LUNA Webservice doesn’t work anymore.
Now there’s coming a preflight-request at first, which fires the HandleSpecialURL-Event in the Webservice. But this is just an Options-Request without having any data in the payload or authorization, just asking for permission for doing the following real POST-Request. As written in the documentation (link below), you have to set some attributes into the answer-request-header like it is descripted in the documentation (Access-Control-Allow-Origin, Access-Control-Allow-Methods, etc… must be set). When sent back to the client with correct Header-Data, an second Request (the real POST-request) should be sent from the Client, firing the HandleSpecialURL-Event again and doing its work. But theres no second request coming from the Client and firing the event.
The CORS-request-documentation we use:
Heres the content of the preflight request client to webservice:
OPTIONS /special/v1/export/ConnectionPostV1 HTTP/1.1 Host: 192.168.1.30:32323 Connection: keep-alive Access-Control-Request-Method: POST Origin: http://localhost:8080 User-Agent: Mozilla/5.0 (Linux; Android 6.0; 5023F Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 Mobile Safari/537.36 Access-Control-Request-Headers: authorization,content-type Accept: */* Accept-Encoding: gzip, deflate Accept-Language: de-DE,en-US;q=0.9 X-Requested-With: sa.warenerfassung.sl
thats the content of the answer-request of the webservice:
HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Date: Fri, 03 Aug 2018 10:55:09 GMT Server: Luna/2016.02.19 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST Access-Control-Max-Age: 86400 Content-Length: 0
My question is: generally, can xojo-webapplications handle this CORS-HTTP-requests? Has someone else experience with CORS-HTTP-Requests in XOJO? Do we have to consider some other things?
Thanks a lot!