Problem with cross-origin HTTP request

Hi dear Xojo-community!

My question is about handling cross-origin HTTP requests in Xojo WebApplications:
For our project we have used an extended Version of the LUNA Webservice. Worked really great!! We use it as a webservice for requests coming from a few android-devices from which our app sends RESTful methods. Until now, they sended simple Webrequest, without using preflight wegrequests. Handling them was no problem. But since the last uupdate occured on the devices, the apps are now using CORS-HTTP-Requests. Now the LUNA Webservice doesn’t work anymore.

Now there’s coming a preflight-request at first, which fires the HandleSpecialURL-Event in the Webservice. But this is just an Options-Request without having any data in the payload or authorization, just asking for permission for doing the following real POST-Request. As written in the documentation (link below), you have to set some attributes into the answer-request-header like it is descripted in the documentation (Access-Control-Allow-Origin, Access-Control-Allow-Methods, etc… must be set). When sent back to the client with correct Header-Data, an second Request (the real POST-request) should be sent from the Client, firing the HandleSpecialURL-Event again and doing its work. But theres no second request coming from the Client and firing the event.

The CORS-request-documentation we use:
https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
or
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Heres the content of the preflight request client to webservice:

OPTIONS /special/v1/export/ConnectionPostV1 HTTP/1.1
Host: 192.168.1.30:32323
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Linux; Android 6.0; 5023F Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 Mobile Safari/537.36
Access-Control-Request-Headers: authorization,content-type
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,en-US;q=0.9
X-Requested-With: sa.warenerfassung.sl

thats the content of the answer-request of the webservice:

HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Date: Fri, 03 Aug 2018 10:55:09 GMT
Server: Luna/2016.02.19
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 86400
Content-Length: 0

My question is: generally, can xojo-webapplications handle this CORS-HTTP-requests? Has someone else experience with CORS-HTTP-Requests in XOJO? Do we have to consider some other things?

Thanks a lot!
greeting, Klemens

@Klemens Weinberger: Are you running the Luna instance behind a proxy server? If not, you might want to consider doing so.

For example, run it behind nginx, let nginx handle the CORS aspect of the request, and have it pass the “real” request off to Luna for processing.