CORS Redirect is not allowed for a preflight request

Software Support
1

Hello Everyone,
I have an OJS3.3 installation with multiple journals, each with a different domain name. We can describe the actual configuration as follow:

config.inc.php configuration:

Apache2 VH configuration:

SetEnvIf Origin "http(s)?://(ojs.journals.com|www.myjournal1.com)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header merge Vary Origin

But I’ve also tryed with a more generic ‘Header set Access-Control-Allow-Origin: “*”

When I try to make public the myjournal1 from the ‘Hosted Journals’ page:

I have the following CORS error:

Access to XMLHttpRequest at 'https://www.myjournal1.com/api/v1/contexts/1' from origin 'https://ojs.journals.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

because, despite being on domain ‘ojs.journals.com’ the request is made to domain ‘www.myjournal1.com’.

My question is: shouldn’t this operation be performed on ‘https://ojs.journals.com/api/v1/contexts/1
instead of link ‘https://www.myjournal1.com/api/v1/contexts/1’?

Also because, being on a different domain, you would have to log in twice. Maybe a bug?
Thanks

2

Probably you need a rule like:

RewriteRule ^/(api/.*)$ /index.php/myjournal1/$1 [R=307,L]

This will rewrite the API calls preserving the parameters sent by the browser (due to the 307 HTTP status).

Can you give it a try?

3

Hello @janiosarmento ,
thanks for your reply. I’m not sure that the request even left the browser.

I mean, I’m on the website ‘https://ojs.journals.com’ ( /admin/contexts page ) and that webpage made an AJAX request to ‘https://www.myjournal1.com’. It’s the browser itself that block the request.

The more time I spend on this, the more I think it is a bug. OJS should only generate URLs pointing to the source domain (for AJAX), or am I mistaken in some way?

Thanks