Cross-Origin Resource Sharing (CORS) affecting the development of OCL

(Rafal Korytkowski) #32

@cintiadr, django api code now allows everything, but ngnix settings still interfere. I see the following in a browser console when trying to log in at

Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Origin:

I think allow-origin should be set to instead of

Also please correct methods to be: DELETE, GET, OPTIONS, PATCH, POST, PUT

(the related issue in oclapi is

(Hadijah Kyampeire) #33

Thanks @raff

(Hadijah Kyampeire) #34

Hello @raff , we have noticed that the build for the issue you raised to fix CORS is failing. Could you please checkout on this link Thanks cc @dkayiwa

(Rafal Korytkowski) #35

Fixed. Reverted accidental commit.

(Hadijah Kyampeire) #36

Awesome, thanks

(Shakira Ndagire Seruwagi) #37

Thanks @raff

(Cintia Del Rio) #38

I did the change requested by @raff.

Now the OPTIONS return for me a 204, seems reasonable to me. Not sure what’s the problem now?

(Cintia Del Rio) #39


Is there any update?

(Hadijah Kyampeire) #40

Hi @cintiadr we are still having CORS

(Cintia Del Rio) #41

Got it.

It’s important to follow up on this kind of thing, so we can actually action on it. None of us really understand CORS in detail, and we do not understand your app, so we need some feedback so we can actually do something about it.

This is what ended up working:

location / {
        if ($request_method = 'OPTIONS') {
          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS, POST';
          add_header 'Access-Control-Allow-Headers' 'authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
          # Tell client that this pre-flight info is valid for 20 days
          add_header 'Access-Control-Max-Age' 1728000;
          add_header 'Content-Type' 'text/plain; charset=utf-8';
          add_header 'Content-Length' 0;
          return 204;
        if ($request_method = 'POST') {
          add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS, POST';
          add_header 'Access-Control-Allow-Headers' 'authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
          add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
        if ($request_method = 'GET') {
          add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS, POST';
          add_header 'Access-Control-Allow-Headers' 'authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
          add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';

Also, just to let you know.

I suppose because I didn’t create anything in OCL, there’s a bunch of 500 errors after I login:

Those URLs look pretty weird.

Developing the "OCL for OpenMRS" Application
(Hadijah Kyampeire) #42

This is awesome, what of the PUT requests

(Cintia Del Rio) #43

If you need it, we can add. But can you first show me where in the app there’s a CORS PUT? So I can change nginx config and get it to work.

(Hadijah Kyampeire) #44

That happens when we are trying to add existing concepts to a dictionary. It is a PUT request

(Cintia Del Rio) #45

I don’t know your app. Can you explain step by step what I need to do to reproduce this request?

(Cintia Del Rio) #46

Well, I’m going to sleep now. I’ll be back tomorrow.

I did add put, but I’m not sure if that’s working. If it’s not, I really need the step-by-step to reproduce the same request, so I’d be able to fix it.

Let me know also if you’ll have deletes or patches.

(Hadijah Kyampeire) #47

Oh sorry for the delay I got some engagement here but I will gather all the necessary information about our app and you will find it when you wake up.

(Hadijah Kyampeire) #48

Hello community, thanks for all your support on this issue. @cintiadr special thanks to you our CORS problem is no more::hugs::clap:

(Cintia Del Rio) #49


Just another generic tip: it’s important to not hardcode URL everywhere in your APP, as you’ll need to change it for other environments.

It might be enough for now to have a config file (config.js) with those configs, and in the future that file would be created during container startup time based on environment variables.

(Hadijah Kyampeire) #50

Actually we tried doing that but It caused some issues and they reverted the Pull Request the ticket is still in progress, I guess It will be worked on properly.

(Cintia Del Rio) #51

Oh, great, awesome to hear :slight_smile: