CORS preflight request doesn't pass access control check: It does not have HTTP ok status

11
votes

I am trying to make a GET/POST Request to my Wordpress REST API using Authorization Headers but in response i am getting

preflight request doesn't pass access control check: It does not have HTTP ok status.

I am using JWT Authentication for WP-API for Authentication and tried almost every possible option found on the internet but no luck.

Have a look at my current .htaccess configurations

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

</IfModule>

<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  <IfModule mod_setenvif.c>
    SetEnvIf Origin "^(http://localhost:3000)$" CORS=$0
  </IfModule>
  Header set Access-Control-Allow-Origin %{CORS}e env=CORS
  Header set Access-Control-Allow-Credentials "true" env=CORS
  Header set Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD" env=CORS
  Header set Access-Control-Allow-Headers "*" env=CORS
  Header set Access-Control-Expose-Headers "*" env=CORS
  <FilesMatch "\.(php|html)$">
  </FilesMatch>
</IfModule>

I am getting this error when the request is made from axios

Access to XMLHttpRequest at 'HIDDEN_SERVER_ADDRESS' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

In PostMan the calls are working fine and giving desired results.

1
phpwordpressapacherestcors
“In PostMan […]” - irrelevant, that is not a scenario where CORS applies in the first place. RewriteRule ^(.*)$ $1 [R=200,L] – that only tries to set the status code at this point, but the request still gets passed through to whatever script handles this URL route - so if that script then issues a different status code, it will simply overwrite this. - misorude
I am setting 200 Status code when OPTION headers are sent so my preflight request is validated. What can be the possible solution for this? - Azaz Khan
“so my preflight request is validated” - yeah, unless – what I just said … Just because you set the status code in .htaccess, doesn’t mean your PHP script - which still gets called with this request method - might not override it. (F.e. if it runs into a fatal error, because expected request data is missing.) - misorude

1 Answers

19
votes

Trying every possible solution in .htaccess didn't help in my case. So if anyone else is on the same page here is a solution that worked for me.

put this code in the index.php file and it will work like a charm.

header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: X-API-KEY, Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method,Access-Control-Request-Headers, Authorization");
header('Content-Type: application/json');
$method = $_SERVER['REQUEST_METHOD'];
if ($method == "OPTIONS") {
header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Headers: X-API-KEY, Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method,Access-Control-Request-Headers, Authorization");
header("HTTP/1.1 200 OK");
die();
}