Request header field content-type is not allowed
I have a third party API which uses SOAP + xml.
I want to send a post request.
Using Postman I can make this request without any problems.
However, I cannot send it with JQuery, getting an error: Access to XMLHttpRequest at '[api link]' from origin '[localhost]' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
12 Replies
CORS issue
your server needs to communicate to the client that it's allowed to use those headers
postman doesn't care because its whole purpose is to make non-origin requests, but browsers care because that's a vulnerability
Is there anything I can do on client side to solve this issue?
no
funny
the server has to communicate CORS policies that allow the client to make those types of requests
is it 1st aplir task
if I use other browser?
probably not
it's a security feature that's turned on by default
Sorry, want to clarify some things.
By using CORS sever protects itself, right?
So why Postman can go over the protection? I mean, if Postman can, then server is not as protected..
no, by using CORS the browser protects you from malicious sites making requests to other websites on your behalf
postman can go over it because it doesn't care
browsers care
basically, CORS is the server telling the browser that the website you're currently on is allowed to make requests to it
yeah, that is why I asked about protection from Postman
sounds confusing to me
MDN Web Docs
Cross-Origin Resource Sharing (CORS) - HTTP | MDN
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in ord...
Thank you