CORS headers not created correctly

englandscott · December 13, 2023, 6:05am

======== TEMPLATE BUG FORM ========

Wappler Version : 6.0.2
Operating System : Sonoma 14.1.2
Server Model: PHP
Database Type: MySQL
Hosting Type: Own

What do you think should happen?

CORS headers should be sent during preflight

What actually happens?

Access-Control-Allow-Origin header is not sent.

How to reproduce

The DMXConnect.php template is missing an * in the default config
This is what is created by Wappler
$CONFIG_CORS_ALLOWED_HEADERS = ’ ';

This is what should be created.
$CONFIG_CORS_ALLOWED_HEADERS = ‘*’;

Without the * in the default the origin function does not create the “Access-Control-Allow-Origin” header correctly so it does not get sent.

Placing a * in the default location fixes the problem however it is overwritten any time the dmxConnect.php is recreated by Wappler

This was a working project until the update to 6.0.

kfawcett · December 13, 2023, 6:54pm

Think this is due to another bug that they were trying to correct.

patrick · December 14, 2023, 9:48am

The default value * was wrong in combination with the allow credentials header. It should however return the same value as the request header Access-Control-Request-Headers.

The value * only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal header name * without special semantics. Note that the Authorization header can’t be wildcarded and always needs to be listed explicitly.

Access-Control-Allow-Headers - HTTP | MDN (mozilla.org)

Do not edit the dmxConnect.php file, you can set the CORS configation in the config file located at dmxConnect/config.php.

$CONFIG_CORS_ORIGIN = '*';
$CONFIG_CORS_ALLOWED_HEADERS = '*';

George · December 14, 2023, 10:41am

In the upcoming Wappler update 6.0.3 we will offer more options to set also the allowed headers and credentials in CORS.

Teodor · December 14, 2023, 1:24pm

This is now fixed in Wappler 6.0.3

englandscott · December 15, 2023, 12:08am

Got it to work after pushing the entire website after upgrading and populating Allowed Headers. Just populating the Allowed Headers does not save the changed config file to the remote server.

However if you do not fill the allowed headers under the COR option you will still get the preflight error. There should be a default of some kind that works. Currently the default is not to work.