Hello All
My frontend is a Angular App running on localhost and ERPNext is running on a remote server.
Below is the setup for CORS at server
location @webserver {
add_header 'Access-Control-Allow-Origin' 'http://127.0.0.1:4200';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' 'http://127.0.0.1:4200';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' 'http://127.0.0.1:4200';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frappe-Site-Name <sitename here>;
proxy_set_header Host $host;
proxy_set_header X-Use-X-Accel-Redirect True;
proxy_read_timeout 120;
proxy_redirect off;
proxy_pass http://frappe_bench-frappe;
}
Also I am using
proxy_cookie_path ~(.*) “$1; SameSite=None;”;
To set cookie
---
add_breadcrumbs: 1
title: Configuration
metatags:
description: >
Frappe sites can share the same application server, each behind different
database solutions, configurations and locations, with different granularities
via the Site Config in Bench.
---
# Configuration
Frappe sites can share the same application server, each behind different
database solutions, configurations and locations, with different granularities
via the Site Config in Bench.
The Site Config stores all site-related information, from the site's Database
details to the custom domains that point to it. Through the Site Configuration,
we can define the key, value pairs that may change the behaviour of Frappe and your
Frappe Apps.
show original
Use the new allow_cors config
Thanks for your reply.
I have reset frappe_bench/config/nginx.conf to default
Still its giving CORS issue, login with correct details also doesn’t work.
try simple endpoints first. /api/method/ping or /api/method/version, it they work CORS work.
In case the api response is any error (non 200/2xx status code), it will respond with cors. This is because cors headers are set only on success response, for error response no cors headers are set.
It means cors error can be false error that hides the real underlying error.
Also confirm the version, or even accurate will be compare if cors code exists in frappe. Because sometimes versions are misleading.
Thanks Revant.
I was able to set the cors headers for success response. How do i set the same for error response?
I was able to set cors headers for error response as well setting below config in the old approach.
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' 'http://127.0.0.1:4200' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
Have added always attribute at the end
1 Like
In new version 12 and 13 of frappe not required to change in nginx configuration file because we can set allow_cors parameter in site_config.json and that will set headers for response.
I ran into a strange issue today
My angular app is on local host and i access it using 127.0.0.1:4200. With the above setup for cors and
proxy_cookie_path ~(.*) "$1; SameSite=none; httponly";
At server block of nginx config, i was able to access and the login was successfull, my app works fine
With the same setup i am installing in a new server, it doesnt work. The samesite is received as Lax from server always.
The old installation was for v12, now i am doing v13 in a new server
Any idea?
I finally found the issue after digging it for entire 24hrs
The line 340 below is setting samesite to “Lax”
def init_cookies(self):
if not frappe.local.session.get('sid'): return
# sid expires in 3 days
expires = datetime.datetime.now() + datetime.timedelta(days=3)
if frappe.session.sid:
self.set_cookie("sid", frappe.session.sid, expires=expires, httponly=True)
if frappe.session.session_country:
self.set_cookie("country", frappe.session.session_country)
def set_cookie(self, key, value, expires=None, secure=False, httponly=False, samesite="Lax"):
if not secure:
secure = frappe.local.request.scheme == "https"
self.cookies[key] = {
"value": value,
"expires": expires,
"secure": secure,
"httponly": httponly,
"samesite": samesite
}
This is the cause of issue for me. If i change it to None instead of Lax, things work fine as before.
But i dont want to change the code. Is there any config for this?
@adityahase Can you pls help me? since you have committed the change.