You need to sign in to do that
Don't have an account?
Vinicius Viotto Sponchiado
Preflight request(OPTIONS) to a rest API endpoint doesnt work without Authorization Header
Hi, we are trying to integrate a web application with the salesforce rest API but we are having some CORS issues.
The domain is white listed in salesforce (currently testing on localhost), and all requests work fine if we send the OAuth token as a query param in the URL like this:
It fails with a CORS error because the prefligh request to the same URL using the OPTIONS method returns a 403 with error "Missing OAuth token".
This happens because the browser omits the Authorization Header when doing the preflight request, this is actually documented in the CORS spec (https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0): "for a cross-origin request with preflight … make a preflight request … Exclude user credentials"
Is there any workaround for this?
Thanks for the help =)
The domain is white listed in salesforce (currently testing on localhost), and all requests work fine if we send the OAuth token as a query param in the URL like this:
https://test.salesforce.com/id/XXXXXXXX/YYYYYYYY?oauth_token=access_tokenBut if we try to send the token using the Authorization Header instead of passing it in the URL, like this:
Authorization: Bearer access_token
It fails with a CORS error because the prefligh request to the same URL using the OPTIONS method returns a 403 with error "Missing OAuth token".
This happens because the browser omits the Authorization Header when doing the preflight request, this is actually documented in the CORS spec (https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0): "for a cross-origin request with preflight … make a preflight request … Exclude user credentials"
Is there any workaround for this?
Thanks for the help =)
thus
Phil
Hi Phil, thanks for the reply.
Unfortunately Using 'OAuth' instead of 'Bearer" didn't work.
Whats is weird is that we only have this problem with this specific endpoint, all others work correctly using the authorization header