You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to request a route (graphql) that is being handled by a GraphQLApp. It works well when I send requests from postman but it fails when going over preflight checks (requesting from my web browser):
Access to fetch at 'http://192.168.64.2:30540/graphql' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
I slightly modified the code from starlette/middleware/cors.py to have a little bit more information on what is happening. The response content generated by preflight_response is Disallowed CORS method (POST), header (access-control-allow-origin), header (authorization), header (content-type).
I also can cheat a little by allowing all "problematic" headers/methods to my middleware (but I guess if these headers are not allowed by default that must be for a reason):
Stumbled upon the same problem, and adding content-type to allow_headers solved it. However, according to the documentation, Content-Type should be a white listed header. My guess is that since the header is sent by the client in lowercase, the white list test fails.
As per #619, we have decided to deprecate GraphQL support within Starlette itself so I am going to close this issue. Thank you for filling this issue. ✌️
I'm trying to request a route (
graphql
) that is being handled by a GraphQLApp. It works well when I send requests from postman but it fails when going over preflight checks (requesting from my web browser):I slightly modified the code from starlette/middleware/cors.py to have a little bit more information on what is happening. The response content generated by
preflight_response
isDisallowed CORS method (POST), header (access-control-allow-origin), header (authorization), header (content-type)
.OPTIONS request details
I also have a regular access point (
admin
) that I can request without any problem on both postman and browser.My code looks like so:
I also can cheat a little by allowing all "problematic" headers/methods to my middleware (but I guess if these headers are not allowed by default that must be for a reason):
That's also strange because CORS middleware never complain about these headers on
POST
requests, but only onOPTIONS
requests.Did I do something wrong or is there a problem in starlette?
The text was updated successfully, but these errors were encountered: