Screenshot WOW SAVE 20% on the All Access Bundle. Use "OAUTH20OFF" at checkout.
GET DEAL
News & Updates

CORS – Preflight Requests Issues

If you have any questions please contact our
Support Team.
CORS – Preflight Requests Issues

CORS – Preflight Requests Issues

Update Jan 11, 2018
WPEngine Customers:
You must set the Allow Origin settings in your .htaccess file. See https://wpengine.com/support/platform-settings/ for more information.

It has come to my attention that there is a growing usage of frameworks that are running into issues with with CORS (Cross-origin HTTP Requests). The issue begins with OAuth2 not really supporting CORS due to click hijacking made possible by front-end JS frameworks. With the newer technology using JS on server side, the issue arises that these calls are failing to authenticate due to how the CORS requests are being made.

CORS works like the following. The client makes a POST request to the server but before it does, it sends a “preflight request”. This preflight request is an OPTIONS request that basically asks the server (physical server, not OAuth Server)a couple things.

  1. Is the client allowed to make cross-origin POST requests
  2. What HTTP requests are allowed/supported

Ideally, the server will return that it is able to make the calls, and the client would then preform the actual POST request.

WP OAuth Server follows the OAuth2 draft and does not support listening for the OPTION request. This is where the issue comes into play. To get around this, you can extend WP OAuth Server by creating an action for “wo_before_api”.

You can paste the snippet below into your themes function file and your server will now return the proper response.

function wo_cors_check_and_response(){
if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
    header('Access-Control-Allow-Origin: *');
    header('Access-Control-Allow-Methods: POST, GET');
    header('Access-Control-Allow-Headers: Authorization');
    header('Access-Control-Max-Age: 1');  //1728000
    header("Content-Length: 0");
    header("Content-Type: text/plain charset=UTF-8");
    exit(0);
  }
}
add_action('wo_before_api', 'wo_cors_check_and_response');

Stay right up to date

Get great content to your inbox every week. No spam.
Only great content, we don’t share your email with third parties.
Icon