2

This is a unique situation, because I need to respond with CORS headers from a server, but the server is a create-react-app server running a react app.

I have 2 react applications, app1 (port 3002), app2 (port 3001) and 1 backend (port 3000). When I make a request from app1 to the backend (/api), it sends a 302 redirect to app2. This causes the browser to throw a CORS error because app2 doesn't respond to the preflight OPTIONS request with the access-control-allow-origin header. Is there a way to configure the CRA dev server to respond with this header? Or maybe these headers can be added via some proxy on app1?

Error

Access to XMLHttpRequest at 'http://localhost:3001/' (redirected from 'http://localhost:3002/api') from origin 'http://localhost:3002' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I've tried this on app1 with no luck:

src/setupProxy.js

const { createProxyMiddleware } = require('http-proxy-middleware');

module.exports = function(app) {
  app.use(
    '/api',
    createProxyMiddleware({
      target: 'http://localhost:3000',
      changeOrigin: true,
      onProxyRes: response => {
        response.headers['access-control-allow-origin'] = 'http://localhost:3002';
      },
    })
  );
};

I'm guessing maybe I need to add some config to the server on app2 so it will respond to the preflight request, but I don't know how.

Update: I found the node_modules/react-scripts/config/webpackDevServer.config.js and added

headers: {
      "Access-Control-Allow-Origin": "*",
      "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
      "Access-Control-Allow-Headers": "X-Requested-With, content-type, Authorization"
    },

This adds the headers to the CORS request, but not really a permanent solution. I imagine I have to use craco to do this?

Improve this question
8
  • 1
    What's the exact error you're seeing here? If your browser's been redirected to app2, that request doesn't go through app1's proxy. Commented Apr 20, 2021 at 15:15
  • Hey @jonrsharpe thanks for your response, I added the error above. "redirect from x to y has been blocked". Commented Apr 20, 2021 at 15:19
  • 1
    Should that really have been an XHR to begin with? Why would what appears to be a backend API request involve a redirect to a separate client app? Commented Apr 20, 2021 at 15:23
  • For example, Oauth2.0 responds to the auth code request with a redirect and the code is a query param. Commented Apr 20, 2021 at 15:39
  • 2
    In the web flow (see e.g. docs.github.com/en/developers/apps/…) you don't know or care how the provider's page is implemented - you send your user to e.g. github.com/login/oauth/authorize with some query parameters to identify your app etc., then some time later they appear back on your site with a code that your backend can then exchange for a token. Commented Apr 20, 2021 at 15:57

1 Answer 1

Reset to default
5

To do this, you can use craco. In project root folder:

yarn add -D @craco/craco
touch craco.config.js

craco.config.js

module.exports = {
  devServer: {
    headers: {
      "Access-Control-Allow-Origin": "https://example.com",
      "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
      "Access-Control-Allow-Headers": "X-Requested-With, content-type, Authorization",
      "Access-Control-Allow-Credentials": "true"
    },
  }
};

Note: This only edits the dev server configuration. This allows redirects initiated by the server with cookies (allow-credentials).

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Is this working for anyone? I did this, but no cors headers are added and I keep getting the cors issue. Not sure what's going on.
Same here, didn't see it work.
@EdyBourne you just need to change react-scripts with craco in package.json scripts section. That way you will actually utilize the craco config

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.