Miloš Garunović

Built with Hugo ❤️ hyde-hyde

Ktor CORS doesn't allow requests

Jul 30, 2021 in PROGRAMMING
ktor jetbrains kotlin
2 min read

I’ve stumbled upon issue with Ktors CORS feature that I couldn’t solve that fast, required a lot of googling and everything on stackoverflow showed that my requests were correct, but they weren’t for Ktor.

My request was:

fetch("localhost:8080/task", {
        method: 'POST',
        headers: {
            "Content-Type": "application/json",
            "Accept": "application/json"
        },
        body: JSON.stringify({name: "first task"})
    })
    .then(data => {return data.json()})
    .then(data => console.log(data));

The problem was with the Content-Type header, since that’s not the header allowed by default in Ktor. My first CORS setting was the default one:

install(CORS) {
    method(HttpMethod.Options)
    method(HttpMethod.Put)
    method(HttpMethod.Delete)
    method(HttpMethod.Patch)
    header(HttpHeaders.Authorization)
    header("MyCustomHeader")
    allowCredentials = true
    anyHost() // @TODO: Don't do this in production if possible. Try to limit it.
}

Then I cleared up a bit with trial and error to use just what I need explicitly:

install(CORS) {
    method(HttpMethod.Options)
    method(HttpMethod.Post)
    method(HttpMethod.Get)
    anyHost() // @TODO: Don't do this in production if possible. Try to limit it.
}

And since that didn’t work, I got a bit into the source code of the CORS feature, and found out that Content-Type is not a simple header. allowNonSimpleContentTypes documentation says:

Allow sending requests with non-simple content-types. The following content types are considered simple:
    - `text/plain`
    - `application/x-www-form-urlencoded`
    - `multipart/form-data`

So the first option was to set allowNonSimpleContentTypes in configuration:

install(CORS) {
    method(HttpMethod.Options)
    method(HttpMethod.Post)
    method(HttpMethod.Get)
    allowNonSimpleContentTypes = true // <-
    anyHost() // @TODO: Don't do this in production if possible. Try to limit it.
}

And that worked, but I wanted a bit more controll, since I didn’t want any random header to crop in my requests. So the final config for CORS feature looks like this:

install(CORS) {
    method(HttpMethod.Options)
    method(HttpMethod.Post)
    method(HttpMethod.Get)
    header(HttpHeaders.ContentType) // <-
    anyHost() // @TODO: Don't do this in production if possible. Try to limit it.
}

This is just what I’ve made so far, and I’m just at the beginning of setting up my project, so it’s not meant to deal with anything advanced, just to work on my local machine.

Why Is Java Not Showing Full Stacktrace Removing the ROLE_ Prefix in Spring Security