I have a website and my REST api server.
I do ajax post request to the REST server to create new model. Answer for this request will be "HTTP/1.1 201 Created" response with header "Location: "
But I get error message Refused to get unsafe header "Location". I know that this is because of cross domain access policy and other bla bla bla.
Does anybody knows how to fix it? Maybe I have to add "Access-Controll-Allow-SOMETHINGHERE" header to the response?
UPD:
Web site URL /
Original URI is / and new Location URI is
Original URI is used for ajax POST request, which responses with new Location header.
I have a website and my REST api server.
I do ajax post request to the REST server to create new model. Answer for this request will be "HTTP/1.1 201 Created" response with header "Location: http://myapi.com/some/path/111"
But I get error message Refused to get unsafe header "Location". I know that this is because of cross domain access policy and other bla bla bla.
Does anybody knows how to fix it? Maybe I have to add "Access-Controll-Allow-SOMETHINGHERE" header to the response?
UPD:
Web site URL http://www.mydomain.com/
Original URI is http://api.mydomain.com/model/ and new Location URI is http://api.mydomain.com/model/211
Original URI is used for ajax POST request, which responses with new Location header.
Share Improve this question edited Oct 9, 2011 at 8:57 Eugene Manuilov asked Oct 8, 2011 at 22:23 Eugene ManuilovEugene Manuilov 4,3618 gold badges34 silver badges48 bronze badges 1- What is the original URL and what is the new Location URL? – Pekka Commented Oct 8, 2011 at 22:26
4 Answers
Reset to default 9It's because Location header is not exposed to calling client (in this case your ajax code) by default (it's 'unsafe'). To expose it you have to return additional header:
Access-Control-Expose-Headers: Location
This way browser will expose it, so the client can read it. You can add there multiple comma separated headers. More about it here. Here you can read which methods, headers & content types are safe (simple) and don't require any additional configuration.
For Amazon S3 uploads (via Dropzone for instance) you need this in your CORS configuration.
<ExposeHeader>location</ExposeHeader>
I'd just work around it, either by returning the new location as a value from the call or having the client code know where the newly created item is stored.
Another option is to create a proxy for the calls on the original domain.
header Location: http://myapi.com/some/path/111"
That piece of code is completely wrong. Use it correct, or almost corret.
Try this:
header("Location: http://myapi.com/some/path/111");
or
header("Location: http://myapi.com/some/path/111"); exit();
If this not work, let me know :-)