Access-Control-Allow-Origin Error for jquery $.ajax call

revant_one · January 23, 2018, 7:51am

First try simple request to /api/method/version. or authenticated request to /api/method/ping

If simple requests work, there must be some other error.

jhe01 · January 23, 2018, 7:57am

I have tried your suggestion

and got an output of

Object { message: "9.2.22" }

but when i try the login request and used the same code above i got an Cross-Origin Request Blocked.

hmmm

jhe01 · January 23, 2018, 8:05am

so i tried to remove a line of code in my ajax request.

contentType: 'application/json; charset=utf-8',

and it works!

Thanks for your help @revant_one!

kickapoo · April 20, 2018, 1:35pm

Running on production server

sudo nginx -t -c /etc/nginx/conf.d/frappe-bench.conf

got

nginx: [emerg] "upstream" directive is not allowed here in /etc/nginx/conf.d/frappe-bench.conf:1
nginx: configuration file /etc/nginx/conf.d/frappe-bench.conf test failed

Before even updating for cors.

By any change someone knows what is goiing on ?

Bhaskar_Jain · April 20, 2018, 2:26pm

you need to run nginx -t -c on /etc/nginx/nginx.conf

bench creates its own conf file that gets included in nginx.conf

CostaRica · March 4, 2019, 9:12pm

Hi @revant_one

Is it /home/frappe/frappe-bench/config/nginx.conf or /etc/nginx/nginx.conf the one I am suppose to modify?

Thanks

aldoblack · March 5, 2019, 3:24am

I don’t know if this is fixed or not but you need to include headers in ajax call.

This is my AngularJS code:

service.getUsers = function (formData) {
            return $http({
                method: 'POST',
                url: urlBase + 'ec_site_survey.public.submit',
                headers: {
                    'Content-Type': 'application/json',
                    'X-Frappe-CSRF-Token': '{{ frappe.session.csrf_token }}'
                },
                data: {
                    formData: formData
                }
            });
        };

It worked for me.

CostaRica · March 5, 2019, 3:51pm

-Did you have to make changes to the nginx.conf for your code to work, @aldoblack ?

aldoblack · March 5, 2019, 4:04pm

No, I did not have to.

Just a question. Are you trying to call the api from another domain, or form the same?

If it from the same, use the one that I provided.

CostaRica · March 5, 2019, 6:04pm

It is from another domain, that is why I have the CORS problem

revant_one · March 5, 2019, 6:08pm

modify /home/frappe/frappe-bench/config/nginx.conf

Albertus · March 5, 2019, 6:20pm

Good Day

Maybe this not same issue, but i need help in correct direction to query api from javascript in correct manner. Want to use some information of ERPNext on my website.

I can get values easily with postman, but struggle to get same with ajax:

function firstLogin(email,password) {
var url = “http://192.168.xxx.xxx/api/method/login?usr=user&pwd=Password”
$.ajax({
url: url,
headers: {“Accept”: “application/json”},
contentType: “application/json”,
method: ‘POST’,
dataType: ‘json’,
crossDomain: true,
success: function(data){
alert(data);
}
}).fail(function(r){
alert(‘Failed!’);
});
}

Please help me.

Thank You

CostaRica · March 6, 2019, 12:28am

Thanks for replying, @revant_one.

I copied your gist and replaced location @webserver in /home/frappe/frappe-bench/config/nginx.conf
Restarted the server (DigitalOcean)
I could http://MY_ERPNEXT_IP/api/ directly in Firefox, Chrome, Postman AND Vue-Axios with no problems
I could http://MY_ERPNEXT_IP/api/method/login?usr=user&pwd=password directly in Firefox, Chrome and Postman with no problems, but not from Vue-Axios

Do you know what headers should I use?

I use

headers: {‘Authorization’: ‘APIKEY’, ‘Content-Type’: ‘application/x-www-form-urlencoded’},

But I get this error:

Access to XMLHttpRequest at ‘http://165.227.109.214/api/method/version’ from origin ‘http://127.0.0.1:8080’ has been blocked by CORS policy: Request header field x-frappe-csrf-token is not allowed by Access-Control-Allow-Headers in preflight response.

Thanks

aldoblack · March 6, 2019, 3:33pm

Here’s what I do usually.

On 127.0.0.1 server create a backend request. Python code or whatever language you are using.
From back end call http://165.227.109.214/api/method/version
From front end call the code on point 1 .

CostaRica · March 6, 2019, 4:15pm

I will try your workaround, @aldoblack. Thanks

CostaRica · April 21, 2019, 5:25pm

Hi @Albertus.

Take a look at Token Based Rest Api in JavaScript - #6 by CostaRica

You’ll find a simple but complete JavaScript and Python snippet for calling the ERPNext Rest Api

Hope this helps

peterg · May 6, 2019, 7:12am

Just a quick note for anyone struggling with CORS: @revant_one’s modifications to nginx.conf work great, but at least in some circumstances they apply the necessary headers only to successful API calls. That means, if the call fails for some other reason (403, 404, 500, etc.), you might get a misleading Access-Control-Allow-Origin error.

In other words, if you’re still getting Access-Control-Allow-Origin errors even after you’ve changed frappe-bench/config/nginx.conf and reloaded nginx, it’s very possible that CORS isn’t actually the problem but being reported as a false positive. Adding this in hopes of saving someone else some trouble.

Signed,
Someone who learned the hard way

SanRam · September 5, 2019, 11:39am

not able to understand what you are saying
pls can u explain in deep

sanket · May 20, 2020, 6:23am

How do we get actual status for errors like 401, 403 & 500 instead of CORS error?

I did not get cors error when the request returns with status code as 200. I have made the necessary configuration in nginx configuration also.

peterg · May 20, 2020, 7:02am

Excellent question, but unfortunately I don’t know the answer. My understanding of CORS and nginx configs is pretty superficial. Perhaps others in this thread might know, though.