0

I have a Ruby On rails Json API. I also have an AngularJS frontend and I am making CORS requests.

Everything works ok when I return 200 (for example on posts it's actually calling OPTIONS method and getting cors headers for the server). But when I return 401 (unauthorized) I get a Cross site error. I want to handle this error and show an appropiate message (when the user is not authorized to execute a method) but it seems that 401 response fires CORS error.

Any help?

Improve this question
1
  • Could you add the code snippet showing how you are currently making these requests using AngularJS? Commented Nov 22, 2013 at 18:45

1 Answer 1

Reset to default
2

CORS is independent of authentication. Your should layer your CORS response on top of your actual response. So in the case of an authentication error, here's how you should respond:

  1. The preflight response (e.g. the response to the OPTIONS request) should always return HTTP 200, along with the appropriate CORS headers: Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers (if necessary). There should be no body on the preflight response.
  2. The actual response should respond with 401, if there is an auth error. But it should still have the CORS headers, e.g. Access-Control-Allow-Origin etc.

This tells the browser that the cross-origin request was successful, but there was an underlying issue with the request (e.g. the auth error).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

what does it mean that it is "orthogonal"
"Orthogonal" means "independent". I updated the text.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.