OPTIONS localhost../.well-known/openid-configuration throws CORS Missing Allow Origin

@fabien4vo reported this error to me

I haven't been able to replicate it using Postman (interestingly using GET works for us both)

added BUG label

Isn't there a mismatch between http://localhost:8000/ and http://127.0.0.1:8000/ ?

If you access http://localhost:8000/.well-known/ directly from your browser what do you get ?

Can you access http://localhost:8000/.well-known/openid-configuration/ directly ?

Using the browser sends a GET request - but when using Postman to send OPTIONS it replies 200, without the Allow-Origin header set

changed the description

mentioned in merge request !11 (merged)

I investigated and realised that Allow-Origin wasn't being set on a couple of Views HEAD or OPTIONS requests where it was on GET

I opened a merge request which fixes this (!11 (merged) )

Hi @calummackervoy and @balessan,

I am not sure whether this is here I should report my problem.

I'm currently working on the sib upgrade for the happy-dev.fr website. While it's nearly finished, I encounter a similar issue that you can easily reproduce on the staging website.

1. Go to https://preview.happy-dev.fr/ and click on the mail icon (top right corner) or in the menu on Find a team
2. Choose the options and fill in the data as in the screenshot.
3. Press F12 and in the console you should see the following error message: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.preview.happy-dev.fr/contacts/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

What shall I do to fix this error? I've read that somewhere there needs to be a parameter set for access control.

The version of sib in use on the staging website is beta.

Thanks in advance for your reply !

@JulieBarbic this one should be created on the djangoldp package associated with your contact form, do you know which one it is ?

I mean it's a similar but different issue :-)

@balessan Can I call you now? Do you have a few minutes?

Not right now now :-/

Additional information, it's actually the POST which returns a 500 Internal Server Error: Curl request example for the POST:

curl 'https://api.preview.happy-dev.fr/contacts/' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0' -H 'Accept: */*' -H 'Accept-Language: en' --compressed -H 'Referer: https://preview.happy-dev.fr/en/contact' -H 'content-type: application/ld+json' -H 'Origin: https://preview.happy-dev.fr' -H 'Connection: keep-alive' -H 'Cookie: experimentation_subject_id=IjQ2NTdkOGE0LTg0YzYtNGM2ZS1iZGVhLWY3NTk2MTYwZDc4NSI%3D--a008a66e2de7f66c522bf56c0fc5dbbb8a13a20a' --data-raw $'{"name":"Toto","howareyou":{"@id":"http://localhost:8000/howareyous/1/"},"howhelp":{"@id":"http://localhost:8000/howhelps/4/"},"textfreelance":"","textporteur":"","textautre":"C\'est triste","domaine":"","clientlocation":"","workwish":"","project":"","document":"","budget":"","email":"contact@example.com","phone":"0606060606","@context":{"@vocab":"http://happy-dev.fr/owl/#","rdf":"http://www.w3.org/1999/02/22-rdf-syntax-ns#","rdfs":"http://www.w3.org/2000/01/rdf-schema#","ldp":"http://www.w3.org/ns/ldp#","foaf":"http://xmlns.com/foaf/0.1/","name":"rdfs:label","acl":"http://www.w3.org/ns/auth/acl#","permissions":"acl:accessControl","mode":"acl:mode","geo":"http://www.w3.org/2003/01/geo/wgs84_pos#","lat":"geo:lat","lng":"geo:long","hdType":"https://happy-dev.fr/owl/#type","event":"https://api.preview.happy-dev.fr/futureevents/","faq":"https://api.preview.happy-dev.fr/faqs/"}}'

Ok I will keep looking on my side. Thanks for your reply!

I'll let you know when I am available.

Great! I'm free anytime aside from 1pm to 2pm. Let me know and we can do a screen share via Jitsi.

@balessan I think that this confirms that the issue wasn't to do with 127.0.0.1 != localhost

.. in which case I have an MR open already which fixes this :) !11 (merged)

(the missing header not the POST 500)

@calummackervoy Thanks for your reply. So how do I get to test your fix on the staging server? What command line shall I run to update my code? Sorry I am new to this.

Not sure it's related @calummackervoy as I am not sure the Happy Dev website runs the django-webid-oidc-provider package :-) As far as I know there is no authentication there.

Sorry guys @balessan @calummackervoy. Indeed it is not related to this package in my case as a pip list on the staging server gives back:

• Django
• django-brotli
• django-cookies-samesite
• django-guardian
• djangoldp
• djangoldp-uploader
• djangorestframework
• djangorestframework-guardian
• hd-data

The Contact form is just using a solid-form template and the https://api.preview.happy-dev.fr/contacts/ call uses models.py in hd-data.

Not sure which djangoldp package should I add the access control then?

Your detailed erreur is:

Reason: header ‘user-agent’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response

It's related to djangoldp I think. What's your version ?

This is also affecting Energie Partagée (energie-partagee/djangoldp_energiepartagee#14)

I've opened an issue DjangoLDP-side here: djangoldp#358

Your detailed erreur is:

This is the error you replicated @balessan ? It's not different to the error which @JulieBarbic originally reported ?

mentioned in issue djangoldp#358

Sorry @calummackervoy in the end the issue was not related. @balessan helped me find the real issue and what was happening was : an api call was returning a 500 error because of missing email templates used to send emails via the Contact form and it is that 500 error that was generating the CORS header or something like that... So the first thing to do is to identify the root cause of the 500 error via the server log files if there is such an error in the energie-partagee case.

No problem, so strange that it generates a CORS header error. Thanks for the tip :)

on energie partagée project, when posting the contribution call (from the Front size), I have those errors :

OPTIONS http://localhost:8000/contributions/10/ CORS Missing Allow Origin

Blocage d’une requête multiorigines (Cross-Origin Request) : la politique « Same Origin » ne permet pas de consulter la ressource distante située sur http://localhost:8000/contributions/10/. Raison : l’en-tête CORS « Access-Control-Allow-Origin » est manquant.

Blocage d’une requête multiorigines (Cross-Origin Request) : la politique « Same Origin » ne permet pas de consulter la ressource distante située sur http://localhost:8000/contributions/10/. Raison : échec de la requête CORS.

same issue ?

initiale issue for information : energie-partagee/djangoldp_energiepartagee#14

closed via merge request !11 (merged)

mentioned in issue djangoldp#375 (closed)