Ajax Request header field Key is not allowed by Access-Control-Allow-Headers

Question

Trying to build a DNN Service Framework WebAPI but I\'m having trouble consuming it with CORS. I have all of the appropriate headers (I think) but it still doesn\'t seem to be w

Answer 1

Your server responds with the following custom header to the preflight request:

Access-Control-All-Headers: Origin, X-Requested-With, Content-Type, Accept, Key

whereas if you (or the person who wrote this server) read carefully about CORS he should have responded with:

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Key

Now the client client could go ahead and use the Key custom header.

This being said, Bearer is quite specific to OAuth 2 which is sent throughout the Authorization header. Using Key seems like a terrible violation of RFCs and stuff and a wheel reinvention kinda.

Answer 2

Add this to your server response headers :

header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token , Authorization');

Answer 3

Please note the typo in Nyx's question and Darin's answer ('ow' missing). So it's

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Key

and it resolves the error message 'Request header field some-header-field is not allowed by Access-Control-Allow-Headers in preflight mode', if sent as an answer to the browser's OPTION request.