C#•2y ago

Request header field content-type is not allowed

I have a third party API which uses SOAP + xml.
I want to send a post request.
Using Postman I can make this request without any problems.
However, I cannot send it with JQuery, getting an error: Access to XMLHttpRequest at '[api link]' from origin '[localhost]' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

Jimmacle•4/2/24, 8:29 PM

CORS issue

Jimmacle•4/2/24, 8:30 PM

your server needs to communicate to the client that it's allowed to use those headers

Jimmacle•4/2/24, 8:30 PM

postman doesn't care because its whole purpose is to make non-origin requests, but browsers care because that's a vulnerability

slezyradostiOP•4/2/24, 8:31 PM

Is there anything I can do on client side to solve this issue?

Jimmacle•4/2/24, 8:31 PM

slezyradostiOP•4/2/24, 8:31 PM

funny

Jimmacle•4/2/24, 8:31 PM

the server has to communicate CORS policies that allow the client to make those types of requests

slezyradostiOP•4/2/24, 8:31 PM

is it 1st aplir task

JJimmacle postman doesn't care because its whole purpose is to make non-origin requests, b...

slezyradostiOP•4/2/24, 8:31 PM

if I use other browser?

Jimmacle•4/2/24, 8:31 PM

probably not

Jimmacle•4/2/24, 8:32 PM

it's a security feature that's turned on by default

slezyradostiOP•4/2/24, 8:33 PM

Sorry, want to clarify some things.
By using CORS sever protects itself, right?
So why Postman can go over the protection? I mean, if Postman can, then server is not as protected..

Jimmacle•4/2/24, 8:35 PM

no, by using CORS the browser protects you from malicious sites making requests to other websites on your behalf

Jimmacle•4/2/24, 8:35 PM

postman can go over it because it doesn't care

Jimmacle•4/2/24, 8:35 PM

browsers care

Jimmacle•4/2/24, 8:37 PM

basically, CORS is the server telling the browser that the website you're currently on is allowed to make requests to it

JJimmacle basically, CORS is the server telling the browser that the website you're curren...

slezyradostiOP•4/2/24, 8:38 PM

yeah, that is why I asked about protection from Postman

slezyradostiOP•4/2/24, 8:38 PM

sounds confusing to me

Jimmacle•4/2/24, 8:38 PM

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

MDN Web Docs

Cross-Origin Resource Sharing (CORS) - HTTP | MDN

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in ord...

slezyradostiOP•4/2/24, 8:40 PM

Thank you

Request header field content-type is not allowed

Similar Threads

Similar Threads

Similar Threads