This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

CORS not working on Safari 9.3

Posted on 05-15-2017 12:28 PM
kumudgautam-1
New Member
Reply posted on --/--/---- --:-- AM

Hi,

I have added CORS policy in my API and it works fine in safari 10 and above, but fails for safari 9.3.

It says:

XMLHttpRequest cannot load https://commspartnerqa-test.apigee.net/api/v1/comms. Origin https://falconehrproject3.davita.com is not allowed by Access-Control-Allow-Origin.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <Description/>
    <FaultRules/>
    <PreFlow name="PreFlow">
        <Request/>
        <Response/>
    </PreFlow>
    <PostFlow name="PostFlow">
        <Request/>
        <Response/>
    </PostFlow>
    <Flows>
        <Flow name="OptionsPreFlight">
            <Request/>
            <Response>
                <Step>
                    <Name>add-cors</Name>
                </Step>
            </Response>
            <Condition>(request.verb == "OPTIONS") and (request.header.origin != null) and (request.header.Access-Control-Request-Method != null)</Condition>
        </Flow>
        <Flow name="VerifyAccessToken">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>verify-oauth-v2-access-token</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>Assign-Message-UserInfo</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>remove-header-authorization</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/") and (request.verb = "GET")</Condition>
        </Flow>
        <Flow name="VerifyAccessTokenMultiPath">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>verify-oauth-v2-access-token</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>Assign-Message-UserInfo</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>remove-header-authorization</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/app/version/*") and (request.verb = "GET")</Condition>
        </Flow>
        <Flow name="VerifyAccessTokenLibraryAPI">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>verify-oauth-v2-access-token</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>Assign-Message-UserInfo</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>remove-header-authorization</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/library") and (request.verb = "GET")</Condition>
        </Flow>
        <Flow name="VerifyAccessTokenLibraryAPI_FileDetail">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>verify-oauth-v2-access-token</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>Assign-Message-UserInfo</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>remove-header-authorization</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/library/*") and (request.verb = "GET")</Condition>
        </Flow>
        <Flow name="VerifyAccessTokenLibraryAPI_Children">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>verify-oauth-v2-access-token</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>Assign-Message-UserInfo</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>remove-header-authorization</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/library/*/*") and (request.verb = "GET")</Condition>
        </Flow>
        <Flow name="Flow-1">
            <Description>Call POST APIs</Description>
            <Request/>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/") and (request.verb = "POST")</Condition>
        </Flow>
        <Flow name="VerifyAccessTokenHead">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>verify-oauth-v2-access-token</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>Assign-Message-UserInfo</Name>
                </Step>
                <Step>
                    <FaultRules/>
                    <Name>remove-header-authorization</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/") and (request.verb = "HEAD")</Condition>
        </Flow>
    </Flows>
    <HTTPProxyConnection>
        <BasePath>/api/v1/comms</BasePath>
        <Properties/>
        <VirtualHost>default</VirtualHost>
        <VirtualHost>secure</VirtualHost>
    </HTTPProxyConnection>
    <RouteRule name="NoRoute">
        <Condition>(request.verb == "OPTIONS") and (request.header.origin != null) and (request.header.Access-Control-Request-Method != null)</Condition>
    </RouteRule>
    <RouteRule name="default">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>
</ProxyEndpoint>


and my CORS policy is:


<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
    <DisplayName>Add CORS</DisplayName>
    <FaultRules/>
    <Properties/>
    <Add>
        <Headers>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Headers">Origin, X-Requested-With, Accept, Authorization, X-PartnerId, X-UserId, X-UserRole, X-deviceType, Content-Type, X-Accept-Charset, X-Accept, X-HTTP-Method-Override, Cache-Control, Range</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE, HEAD, OPTIONS</Header>
        </Headers>
    </Add>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>


I am not sure why the same policy works for safari 10 and fails in safari 9.3. I tried a lot of work around but nothing works.

Does Apigee have issues with safari 9.3 version that it trims the headers?
Please suggest.

Thanks,
Kumud
Solved Solved
0 7 1,771
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @Kumud Gautam,

Not just in the preflight(options call) even in the actual call, you need to add the below header in the response. Pls, let me know if it works after you add that.

<Headername="Access-Control-Allow-Origin">*</Header>

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

HI

You might need to answer few questions for helping you better -

  1. Can you compare the request headers between the versions coming into Apigee Edge?
  2. What makes you think that Edge is trimming the headers ?
  3. Anything evident in the Trace tool ?
  4. Can you share the curl request made by both versions ?
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
kumudgautam-1
New Member
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

Hi @Sai Saran Vaidyanathan,

Answer inline:

1) The only difference i see in version 10 and 9.3 is that 9.3 has extra request headers:

Accept application/json
Accept-Encoding gzip,deflate
Accept-Language en-us

2) The difference in headers in both version made me think that Edge is trimming or adding headers.

3) Trace tool in version 9.3 says 401 in Verify Access Token, invalid access token

screen-shot-2017-05-15-at-23356-pm.png

4) You need to use below three curls, both the versions use same curl:

(i) To generate access token:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded"https://commspartnerqa-test.apigee.net/oauth/client_credential/accesstoken?grant_type=client_credentials -d 'client_id={value}&client_secret={value}

(ii) To set user information in token body:

curl https://commspartnerqa-test.apigee.net/v1/setuserinfo -H "Authorization: Bearer {value}" -H "X-UserId: 10022017" -H "X-UserRole: Physician" -H "X-PartnerId:{value}"

(iii) To call API:

curl https://commspartnerqa-test.apigee.net/api/v1/comms -H "Authorization: Bearer {value}"

My guess is the request is loosing access token in case of version 9.3 hence Apigee is failing with invalid access token error.

But the same token works just fine in version 10.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to kumudgautam-1
Reply posted on --/--/---- --:-- AM

Am not able to see the screenshot attached. In your trace, are you able to make the actual API call after the OPTIONS call ? If you are seeing a 401, then it means the token is unauthorized to call this API. Can you confirm the configurations are all correct ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
kumudgautam-1
New Member
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

screen-shot-2017-05-15-at-23356-pm.pngAttaching the screenshot again.

Yes I am receiving a 401: invalid access token for version 9.3. But the same access token works fine in version 10 and above.

I am passing the same Authorization Bearer {access token} in both versions.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to kumudgautam-1
Reply posted on --/--/---- --:-- AM

Thanks for the screenshot. I dont see the OPTIONS call in here which means its not CORS related. I can see that the Authorization is being sent. In the trace, I see them as ****

I would go back and check the configurations like - setting up the Product (including this proxy to the Product) and including the Product to the Developer App whose client credentials you are using to generate a token and call the API

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @Kumud Gautam,

Not just in the preflight(options call) even in the actual call, you need to add the below header in the response. Pls, let me know if it works after you add that.

<Headername="Access-Control-Allow-Origin">*</Header>
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
kumudgautam-1
New Member
In response to
Reply posted on --/--/---- --:-- AM

Thanks @Maruti Chand, @Sai Saran Vaidyanathan,

Adding above header in actual call worked.

Jump to Solution
0 Likes