#1003 haystack-auth (Node) - blocked by CORS policy

Parth Makwana Mon 15 Aug 2022

I am developing react web application and I am trying to connect skyspark using haystack-auth API. But It's throwing error saying - blocked by CORS policy: Response to preflight request doesnt pass access control check: Redirect is not allowed for a preflight request. Uncaught (in promise) TypeError: Failed to fetch' I added below in headers as well: this.headers['Access-Control-Allow-Origin'] = "*";

this.headers['Access-Control-Allow-Methods'] = "DELETE, POST, GET, OPTIONS";
this.headers['Access-Control-Allow-Headers'] = "Content-Type, Authorization, X-Requested-With";

But still not resolved. Does anyone know how to integrate this one??

Brian Frank Mon 15 Aug 2022

For the most part SkySpark is locked down to same origin (especially for authentication) for security purposes. What exactly is your architecture from a networking/code loading perspective?

Parth Makwana Wed 17 Aug 2022

what exactly you are asking? i couldnt get it!

Doug Sims Thu 18 Aug 2022

The question from Brian is asking for more details on how you are building the app. "developing react web application" is pretty vague and not enough information to give you a specific solution.

What are the domains between the web server making the request and the web server supplying the information? If the domains are different, you will get a cross-origin request security (CORS) error. To get around this, the most common solution is to use JSONP to wrap that call. You have to handle that on the other end though, and I'm not sure skyspark will do that natively.

The other solution is to keep everything in the same domain (usually with a proxy server), but moving the request URL to your skyspark URL should fix that.

The least secure method is to set CORS headers for allowed domains to all (as you did in your original post), but this has to be set on the server receiving the request (i.e. the skyspark server), not on the requesting server. A better security option is to only allow requests from a specific domain.

Login or Signup to reply.