How can you debug a CORS request with cURL?

How can you debug CORS requests using cURL? So far I couldn't find a way to "simulate" the preflight request.

5

Best Answer

Here's how you can debug CORS requests using curl.

Sending a regular CORS request using cUrl:

curl -H "Origin: http://example.com" --verbose \https://www.googleapis.com/discovery/v1/apis?fields=

The -H "Origin: http://example.com" flag is the third party domain making the request. Substitute in whatever your domain is.

The --verbose flag prints out the entire response so you can see the request and response headers.

The URL I'm using above is a sample request to a Google API that supports CORS, but you can substitute in whatever URL you are testing.

The response should include the Access-Control-Allow-Origin header.

Sending a preflight request using cUrl:

curl -H "Origin: http://example.com" \-H "Access-Control-Request-Method: POST" \-H "Access-Control-Request-Headers: X-Requested-With" \-X OPTIONS --verbose \https://www.googleapis.com/discovery/v1/apis?fields=

This looks similar to the regular CORS request with a few additions:

The -H flags send additional preflight request headers to the server

The -X OPTIONS flag indicates that this is an HTTP OPTIONS request.

If the preflight request is successful, the response should include the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers response headers. If the preflight request was not successful, these headers shouldn't appear, or the HTTP response won't be 200.

You can also specify additional headers, such as User-Agent, by using the -H flag.

Use:

curl \-H "Access-Control-Request-Method: GET" \-H "Origin: http://localhost" \--head \http://www.example.com/
  1. Replace http://www.example.com/ with the URL you want to test.
  2. If the response includes Access-Control-Allow-* then your resource supports CORS.

Rationale for the alternative answer

I google this question every now and then and the accepted answer is never what I need. First, it prints the response body which is a lot of text. Adding --head outputs only headers. Second, when testing S3 URLs we need to provide additional header -H "Access-Control-Request-Method: GET".

The preflight request is done using the OPTIONS HTTP method.

Assuming you want to test CORS on a POST request from http://mysite.example.com to https://myapi.example.com/foo, the command should be:

curl -XOPTIONS \-H "Access-Control-Request-Method: POST" \-H "Origin: http://mysite.example.com" \https://myapi.example.com/foo

The response is either OK or an error message like Disallowed CORS origin. You can still include the headers using -i if you’d like.

This is a lot simpler than some other responses that make either GET or HEAD requests and ask you to interpret the headers.

It seems like just this works:

curl -I http://example.com

Look for Access-Control-Allow-Origin: * in the returned headers.

The Bash script "corstest" below works for me. It isbased on Jun711's comment.

Usage

corstest [-v] URL

Examples

./corstest https://api.coindesk.com/v1/bpi/currentprice.jsonhttps://api.coindesk.com/v1/bpi/currentprice.json Access-Control-Allow-Origin: *

The positive result is displayed in green:

./corstest https://github.com/IonicaBizau/jsonrequesthttps://github.com/IonicaBizau/jsonrequest does not support CORSYou might want to visit https://enable-cors.org/ to find out how to enable CORS

The negative result is displayed in red and blue.

The -v option will show the full curl headers.

corstest

#!/bin/bash# WF 2018-09-20# https://stackoverflow.com/a/47609921/1497139# ANSI colors#http://www.csc.uvic.ca/~sae/seng265/fall04/tips/s265s047-tips/bash-using-colors.htmlblue='\033[0;34m'red='\033[0;31m'green='\033[0;32m' # '\e[1;32m' is too bright for white background.endColor='\033[0m'## A colored message# parameters:# 1: l_color - the color of the message# 2: l_msg - the message to display#color_msg() {local l_color="$1"local l_msg="$2"echo -e "${l_color}$l_msg${endColor}"}## Show the usage#usage() {echo "usage: [-v] $0 url"echo " -v |--verbose: show curl result"exit 1}if [ $# -lt 1 ]thenusagefi# Commandline optionwhile [ "$1" != "" ]dourl=$1shift# Optionally show usagecase $url in-v|--verbose)verbose=true;;;esacdoneif [ "$verbose" = "true" ]thencurl -s -X GET $url -H 'Cache-Control: no-cache' --headfiorigin=$(curl -s -X GET $url -H 'Cache-Control: no-cache' --head | grep -i access-control)if [ $? -eq 0 ]thencolor_msg $green "$url $origin"elsecolor_msg $red "$url does not support CORS"color_msg $blue "you might want to visit https://enable-cors.org/ to find out how to enable CORS"fi

Random Posts

python: OpenCV Root DirectoryHow to declare or mark a Java method as deprecated?vue-language-server : Elements in iteration expect to have 'v-bind:key' directivesUse Python to determine if PDF was generated by Google DocsHow do I use generate_series() in SQL in the middle of a string?Simple way to measure cell execution time in ipython notebookHow to use regex in BigqueryWhich Python memory profiler is recommended? [closed]What is file-descriptor?Proxy server with Node.js on HerokuHow many times with the following loop iterate?Moderation analysis plot: can I use my moderating variable on the x axisLatest webdriver manager not working with current framework codeHow Spark works internallyIs there a way to execute jq from pythonUIPath Add Data Row of DataTable with possibly non existent item in ArrayRowwhat does the term rep-invariant and rep ok means? [closed]Is there a way to prefix deeplinking fragment of swagger ui?Errno 13 Permission denied: '/storage/ emulated/0/Download/site.html'How to open and use a socket in C? [closed]