Response body is not sent to client

I have a simple API proxy that calls a service. The service gives a response code 400 and a JSON string in the response body. However, the response body is not received by the calling client. I traced the call and I can see the response body in the trace. It is even in the reponse content field of the "reponse sent to client" step. But I dont receive it?

Any tipps on what might be wrong here? I tried Postman and Firefox for sending the request.

Solved Solved
0 2 620
1 ACCEPTED SOLUTION

I finally found the problem. It has to do with CORS.

My target server does not support CORS, so I had configured the "Add CORS" policy in Apigee. That policy was only added within a conditional flow. The condition limited it to OPTION-Requests. Thus, the firefox browser received a positive answer for the Preflight-Request and then sent the actual POST-Request. For this POST-request, there were no CORS-headers added in the response. It seems that firefox also expects the "Access-Control-Allow-Origin" header for the actual request that is sent after the Preflight-Request. Since that header was missing, firefox discarded the received response body.

In fact, firefox printed a warning message in the console about that:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading 
the remote resource at [url]. Reason: CORS header 'Access-Control-Allow-Origin' missing

View solution in original post

2 REPLIES 2

Could you please provide the trace session here?

I finally found the problem. It has to do with CORS.

My target server does not support CORS, so I had configured the "Add CORS" policy in Apigee. That policy was only added within a conditional flow. The condition limited it to OPTION-Requests. Thus, the firefox browser received a positive answer for the Preflight-Request and then sent the actual POST-Request. For this POST-request, there were no CORS-headers added in the response. It seems that firefox also expects the "Access-Control-Allow-Origin" header for the actual request that is sent after the Preflight-Request. Since that header was missing, firefox discarded the received response body.

In fact, firefox printed a warning message in the console about that:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading 
the remote resource at [url]. Reason: CORS header 'Access-Control-Allow-Origin' missing