Chrome, Ubuntu, Apache2 & CORS errors

Im trying to make reuest to a xibo project installed in a Ubuntu Server with Apache2. Xibo is succesfully deployed and answering Android devices through soap requests.

When I trying to make soap request from an Angular App Web Based through Chrome/Firefox CORS error appears.

  • Apache2 configuration is ignored.
  • Adding cors directives at Xibo .htacces inside ‘web folder’ and forcing 200 http code returning OPTIONS requests is working but i dont want to force OPTIONS request to response 200 by default.

How can i configure that environment to get acces from a web client through a navigator to soap request without CORS errors?

Thanks in advance!

Hi there and welcome.

Do you mean that you’re trying to make a request to the Xibo CMS API directly from an Angular App? CORS would appear in this scenario because Xibo isn’t serving CORS headers for your other app.

The JAMStack way to solve this would be to modify Xibo so that it does issue CORS headers - but only for the API route. You do not want CORS to be allowed for the web/authorize routes as this would be a security concern! If you go this route you must use an authorisation code oAuth flow to authenticate your users (again for security reasons).

You would do this with Apache config as you’ve said - you would do this by adding an allow origin header to your requests:

Header set Access-Control-Allow-Origin "<<your origin>>"

You could also tackle this another way if both your Xibo installation and your web app will be served from the same domain. In this case you could put a reverse proxy in-front of both the Xibo install and your custom app install. You could then have:

  • /xibo < the xibo install
  • /app < your app

They would both be on the same domain in this case and therefore CORS wouldn’t be involved at all. You’d still want oauth2 authorise code flow to get a token for your Angular app to call the Xibo API. You would also need to configure Xibo for use on a sub-domain - please use the latest 3.0 to 3.1 beta to do this as there were some problems running under a sub-domain before.

I don’t really know what you mean by this, sorry.