Resolving Checkmarx issues reported
So, here we are using input variable String[] args without any validation…
Explaining issue: response to preflight request doesn't pass access control check
December 19, 2017
Problem
You are developing a nodejs web application having some UI and backend APIs (express). You encounter the following issue:
response to preflight request doesn't pass access control check: no 'access-control-allow-origin' header is present on the requested resource. origin 'https://yourweb.com' is therefore not allowed access
Pre Solution discussion
On the first google result, you may find following suggestions:- add some headers like "Access-Control-Allow-Origin" and "Access-Control-Allow-Headers".
- add "Access-Control-Request-Headers"
- Use Cors (https://www.npmjs.com/package/cors)
- Allow OPTIONS httpresponse
- etc
Well, none of them works (at least in my case)!
Reason
My UI application was built in backbone js (https://marionettejs.com/), and was using nodejs express backend. I was using Microsoft OTKA authentication URL(SSO).So, UI was calling an API to fetch user information, and since the user is not authenticated. Backend denied the request, and send a 302 redirect to OKTA url. Since UI was calling API via XHR. And, when it got the redirect URL, and XHR automatically tries to load that OKTA URL, and failed as expected.
Note: No additional header will solve this issue. And, this is not related to CSP.
Solution
The solution is to not to tell XHR request to load that redirect URL, and let the user fetch call fails with 401. And, configure your javascript to go to that redirectUrl by using window object.See code below:
$(document).ajaxError((e, x) => {
if (x.status === 401) {
//In case we got an unauthorized then please do redirect and
// load the login page
storage.set('callback', window.location.hash);
window.location = jQuery.parseJSON(x.responseText).redirectUrl;
}
//else handle something
});To Read
You can read more about this issue in wiki :https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Preflight_exampleAhh, this problem ate my 2 days.
Similar Posts
How to Fix Drupal Mysql error - Communication link failure: 1153 Got a packet bigger than 'max_allowed_packet' bytes
Introduction While this topic may applicable to all mysql/mariadb users who…
Moment.js - How to perform date relatedd arithmetic in javascript/NodeJs
Introduction In your backend and frontend projects, you always need to deal with…
How to Copy Local Docker Image to Another Host Without Repository and Load
Introduction Consider a scenario where you are building a docker image on your…
How to get all image tags from an html - php code
I wanted to fetch all image tags from a big html, and wanted to perform some…
How to Solve Spring Okta/Saml issue of SAML message intended destination endpoint did not match the recipient endpoint
Introduction I was trying to integrate Okta with Spring, and when I deploy the…
Latest Posts
Django Python - How to Build Docker Image and Run Web-service on Apache with Python 3.9
Introduction So you have a Django project, and want to run it using docker image…
Python - How to Maintain Quality Build Process Using Pylint and Unittest Coverage With Minimum Threshold Values
Introduction It is very important to introduce few process so that your code and…
Example Jenkin Groovy Pipeline Script for Building Python Projects with Git Events and Push to Artifactory
Introduction In this post, we will see a sample Jenkin Pipeline Groovy script…
Python - How to Implement Timed-Function which gets Timeout After Specified Max Timeout Value
Introduction We often require to execute in timed manner, i.e. to specify a max…
Kubernetes - How to Set Namespace So You Do Not Need to Mention it Again and Again in Kubectl Commands.
Introduction In some of the cases, we need to specify namespace name along with…
Kubernetes - How to Configure Docker Repository to Pull Image and Configure Secret
Introduction In most of cases, you are not pulling images from docker hub public…