Get poperties from an API in Node-RED returns CORS error

After struggling weeks with this issue, i am still blocked.

Error :
…has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Yes, I have been reading a lot about CORS . But still it got me puzzled.

Situation:
In Home Assistant, I use the Node-RED with my own coded node (FILTER).
In that Node I want to get a list of Items (Types) I can get from an API with authentication.

So “Home Assistant” (192.168.100.4:8123) => Node-Red (192.168.100.4:1880) => API call on 192.168.100.7:30333 to get the Type-list :

Returns a "Access to XMLHttpRequest at ‘http://192.168.100.4:1880/triggerItems’ from origin ‘http://192.168.100.4:8123’ has been blocked by CORS policy:
Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

  • I tried to add the xhr.setRequestHeader(“Access-Control-Allow-Origin”,“*”); .
  • When I do a HTTP request in Node-RED (with the HTTP node) it works.(see screenshot).
    But that doesn’t solves my code issue.
  • I also tried to add the cors_allowed_origins in HA configuration.yaml
 http:
  use_x_forwarded_for: true
  cors_allowed_origins:
     - "*"
  • I also activated the CORS settings in Node-RED
httpNodeCors: {
     origin: "*",
     methods: "GET,PUT,POST,DELETE"
},
  • I have been reading about using NGINX in between but that’s not very clearly to me how that should be configured

But still no success.
Any CORS expert outhere ?

thanks in advance

Is the thing running on http://192.168.100.4:1880/triggerItems something that you have control over? Sounds like it is not returning the correct headers for the client to pass CORS.

Can you see what is returned from that endpoint as the Access-Control-Allow-Origin header? (This needs to be on the response not the request)

Correct, the triggerItems code is the code you see in the first screenshot.
There I also already tried to add the :

    xhr.setRequestHeader('Access-Control-Allow-Headers', '*');
    xhr.setRequestHeader('Content-type', 'application/ecmascript');
    xhr.setRequestHeader('Access-Control-Allow-Origin', '*');

but i never see it being accept on the response headers when debugging with F12

No I mean what is hosting that API that you are calling?
You are still attempting to put the headers on the request rather than the response. You need to edit the web host for http://192.168.100.4:1880/triggerItems not the node you are calling it from.

Hi, do you mean the location of the triggerItems script?
That’s then the Node-RED itself ?
But I already added the configs lines on that.

httpNodeCors: {
     origin: "*",
     methods: "GET,PUT,POST,DELETE"
},

Add OPTIONS to that list of methods.

Added the options in the Node-Red config:

and even added some other settings I found, like:

image

but the return is almost the same

So I am not able to get the “Access-Control-Allow-Origin” in the response it keeps telling me.

When I click on the “triggerItems” (at the left) I get a perfect response in the debug window.
So the link, credentials, etc… are correct.
It is just not willing to return the response the same IP address (HA & NodeRed)

Actually that isn’t a CORS error at all, that is a 401 Unauthorized. Meaning there is something wrong with your authenticaiton, maybe incorrect username/password? Are you able to make the request in something like Postman successfully?

I still don’t understand what is hosting that endpoint, where are those options in Node-Red where you have the CORS settings? (So I can test it out on mine)

Hi, I know what you mean : There is a “401” error.

But the full error message I receive is :

Access to XMLHttpRequest at ‘http://192.168.100.4:1880/triggerItems’ from origin ‘http://192.168.100.4:8123’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
GET http://192.168.100.4:1880/triggerItems net::ERR_FAILED

When not sending credentials, i get an authorization error.
And I know that my credentials are correct because when I click the link and fill them in, I get the correct JSON response.
Although its not clear for me why i should send credentials when already in Node-Red. The API i call is not asking for any.

I also found info about “OPTIONS” is not sending credentials parms : 401 error & OPTIONS

So I coded it different now:
image

but same error…

In Node Red you can find the settings in: /config/node-red/settings.js
Access it easily with the Studio Code Server add-on.