EDITED for clarity:
Using python/Flask REST-API to provide secure endpoints (using basic auth) for an ExtJS app. CORS is enabled. All had been working splendidly in all my testing with Safari. Decided to test other browsers (IE, Chrome and Firefox) with the outcome that I keep getting a 401 error and no login dialog.
I found the following blog post http://mortoray.com/2014/04/09/allowing-unlimited-access-with-cors/ that suggested to add the following chunk of code to ensure all headers were covered for all endpoints:
@app.after_request
def add_cors(resp):
""" Ensure all responses have the CORS headers. This ensures any failures are also accessible
by the client. """
resp.headers['Access-Control-Allow-Origin'] = request.headers.get('Origin','*')
resp.headers['Access-Control-Allow-Credentials'] = 'true'
resp.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS, GET'
resp.headers['Access-Control-Allow-Headers'] = request.headers.get(
'Access-Control-Request-Headers', 'Authorization' )
# set low for debugging
if app.debug:
resp.headers['Access-Control-Max-Age'] = '1'
return resp
I added this to my api code in hopes that it would work, but it seems to have made no difference.
The API is hosted via Apache using mod_wsgi and all authentication being passed off to the wsgi app using the WSGIPassAuthorization On directive.
Needless to say, I am slightly confused. Shouldn't I always get the login dialog if a 401 error was detected?
I ended up just moving my ExtJS and API apps to the same server (using Apache mod_alias for the ExtJS app and the WSGIScriptAlias directive from mod_wsgi for the Flask app). Works like a charm and no CORS issues. Notwithstanding the terrible solution for Chrome, I think there is no fix for Firefox, and I don't even look into IE. I certainly have better things to do.