1

I've created a GAE project and I deployed two services:

  1. default (https://myservice.appspot.com) for the front-end app
  2. backend (https://backend-dot-myservice.appspot.com) for the backend (Node.js)

I've also added a custom domain so that the default service is reachable also at https://myservice.com.

The problem I have is that each AJAX requests performed by the browser is preceded by an OPTIONS request (to handle the CORS).

What's the best solution to avoid this OPTIONS request? It should be fixed if both front-end/backen-end are on the same host, but how can I do it on Google App Engine?

Thank you!

user2010955
  • 3,181
  • 5
  • 28
  • 44
  • Would something like [CORS on App Engine](https://enable-cors.org/server_appengine.html) help you at all? You have methods for Python, Java, and Go based applications. This [SO case](https://stackoverflow.com/questions/18760224/cors-using-ajax-to-post-on-a-python-webapp2-web-service) might help. – sllopis Oct 15 '19 at 09:17
  • I already applied CORS (otherwise it would haven't worked if client and server are on different origins), but doing so the browser is doing a pre-flight OPTIONS request for all the requests from front-end to backend. That's what I want to prevent, and the only way I know is to have both client and server on the same origin, so that CORS is not needed anymore... – user2010955 Oct 15 '19 at 09:21

2 Answers2

1

I solved adding a dispatch.yaml file on the default service

dispatch:
- url: "*/api/*"
service: backend

where backend is my backend service. And I changed my backend in order to listen on addresses like /api/something.

So now the browser has origin https://myservice.com and the url of ajax requests to the beckend are like https://myservice.com/api/something. Since now client and server have the same origin, the CORS settings is not needed anymore, and the OPTIONS request is not performed by the browser.

I don't know if it's the best solution, but for me it worked.

user2010955
  • 3,181
  • 5
  • 28
  • 44
0

As it was mentioned in this Stackoverflow post:

OPTIONS requests are pre-flight requests in Cross-origin resource sharing (CORS).

This pre-flight request is made by some browsers as a safety measure to ensure that the request being done is trusted by the server. Meaning the server understands that the method, origin and headers being sent on the request are safe to act upon.

Your server should not ignore but handle these requests whenever you're attempting to do cross origin requests.

CORS Support for Google App Engine in your app.yaml:

One important use of this feature is to support cross-origin resource sharing (CORS), such as accessing files hosted by another App Engine app.

For example, you could have a game app mygame.appspot.com that accesses assets hosted by myassets.appspot.com. However, if mygame attempts to make a JavaScript XMLHttpRequest to myassets, it will not succeed unless the handler for myassets returns an Access-Control-Allow-Origin: response header containing the value http://mygame.appspot.com.

handlers:
- url: /images
  static_dir: static/images
  http_headers:
    Access-Control-Allow-Origin: http://mygame.appspot.com

Note: if you wanted to allow everyone to access your assets, you could use the wildcard '*', instead of http://mygame.appspot.com.

sllopis
  • 1,826
  • 1
  • 5
  • 11
  • thank you, but again, I want to prevent the OPTIONS requests, the only way I know to prevent those is to have client and server on the same origin, but how can I have two services on the same origin on GAE ? – user2010955 Oct 15 '19 at 10:07
  • Have you tried this? The below conditions must be satisfied for ajax request: Request does not set custom HTTP headers like 'application/xml' or 'application/json' etc. The request method has to be one of GET, HEAD or POST. If POST, content type should be one of application/x-www-form-urlencoded, multipart/form-data, or text/plain. More info [here](https://stackoverflow.com/questions/29954037/why-is-an-options-request-sent-and-can-i-disable-it) – sllopis Oct 15 '19 at 10:31
  • The **[Documentation](https://developer.mozilla.org/en-US/docs/Glossary/Origin)** points out that Web content's origin is defined by the scheme (protocol), host (domain), and port of the URL used to access it. Two objects have the same origin only when the scheme, host, and port all match. Some operations are restricted to same-origin content, and this restriction can be lifted using CORS. See link for same origin and different origin examples. – sllopis Oct 15 '19 at 10:39