37

I've read many answers of preflight and CORS so please do not post links referencing what I should read. Many of the answers are from a server-perspective, but I am the client in this case. Do I set the origin header? My assumption is that this is a simple request, am I right?

 req.open("POST", url, true);
 req.setRequestHeader( 'Content-Type',   'application/blahblah' );
 req.setRequestHeader( 'Accept', 'application/blahblah' );
 req.setRequestHeader("Authorization", "Basic " + btoa(user + ":" + pass)); 
 req.send();

Yet its still not working, my error:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 500.

Improve this question

4 Answers 4

Reset to default
38

If you want to set the authorization header

req.setRequestHeader('Authorization','Basic ' + Base64StringOfUserColonPassword);
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

req.setRequestHeader("Authorization", "Basic " + Base64.encode(user + ":" + pass)) ?? Where is this function coming from? An external lib?
Actually sorry I added this: req.setRequestHeader("Authorization", "Basic " + btoa(user + ":" + pass)); and it still doesnt work
window.btoa, not just btoa
Please see the last response in the post. Thank @NickSpicer. var invocation = new XMLHttpRequest(); invocation.open("GET", url, true, username, password); invocation.withCredentials = true;
On pure JavaScript it is: Buffer.from(user + ":" + password).toString('base64');
|
13

Solution:

var req = new XMLHttpRequest();
    req.setRequestHeader('Authorization', 'Basic [base64 encoded password here]' );
Improve this answer

1 Comment

Please see the last response in the post. Thank @NickSpicer. var invocation = new XMLHttpRequest(); invocation.open("GET", url, true, username, password); invocation.withCredentials = true;
6

If using this for an API request, adding the Authorization header will first make XMLHttpRequest send an OPTIONS request, which may be denied by some APIs.

To get around this you can also do: 

var invocation = new XMLHttpRequest();
invocation.open("GET", url, true, username, password);
invocation.withCredentials = true;

Which will add the Authorization header and also avoid the preflight request.

Improve this answer

1 Comment

What's the equivalent on 'http' ? (require('http'))
6

This post is old, but answering for anybody else who comes across it.

There is nothing wrong with your authorization header. The problem you are facing is CORS related.

You don't set the Origin header yourself. The browser does that for you. If your origin is null then I suspect this is because you are running your code from file:/// instead of http://.

Improve this answer

2 Comments

Think I might be having this issue. Do you have any solutions?
At least for chrome, run the browser with this flag --allow-file-access-from-files

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.