I'm not sure if it's simply a case of an incorrect setting in my ajax call or my misunderstanding how CORS works.
I have a web server running on my box in the network-- larryq.mycompany.com
. I have full access to that machine and have been setting the following headers on my pages:
Access-Control-Allow-Origin = *
Access-Control-Allow-Headers = 'Authorization'
Access-Control-Allow-Credentials = true
Access-Control-Allow-Methods = "GET, POST, PUT, DELETE"
When I load my current testing page I see those values in my response headers.
On this page I'm making an ajax call to another server on the network, using OAuth:
var OAuthAuthorizationString = 'OAuth realm="http://www.mycompany.com/", oauth_consumer_key="consumerkey"....oauth_nonce="1446691", oauth_version="1.0"'
$.ajax
({
type: 'GET',
url: 'https://secure.mycompany.com?val1=33&val2=45',
data: [],
beforeSend: function (xhr) {
xhr.setRequestHeader('Authorization', 'OAuthAuthorizationString');
}
})
.done(function (html) {
$("#results").empty();
$("#results").append(html);
})
.fail(function (jqXHR, textStatus) {
$("#results").empty();
$("#results").append(textStatus);
});
Right now when I run this I get a 403 Forbidden response during what appears to be the CORS preflight check.
If I open the Google Advanced Rest Client and craft the same GET request using that OAuth string in the Authorization header, the request works and I get back my data.
I must be doing something wrong, but can't figure what? Am I running into some ajax restriction I'm not aware of or (quite likely) not setting things up correctly?
I'm using jQuery 1.10 fwiw.