CrossDomain request, normal GET, POST, OPTIONS etc. works, but upload not

[KevinTanjung]

As you can see I try 3 XHR before uploading. All uses the $http service from Angular, and they are routed to the domain api.aurora.dev from the origin aurora.dev. All works and the preflight request also handle fine, I use Laravel 4.2 as back-end and using the barryvdh/laravel-cors package for handling CORS. All seems to work fine, until I try doing upload.

This is the script below, do I need to add extra header for upload request? Is it different then normal POST or PUT request? Thank you.

$upload.http({
    url: gon.env.API_HOST + '/submission/upload/original',
    method: 'POST',
    headers: { 'Authorization': 'Bearer ' + gon.user.ACCESS_TOKEN },
    data: e.target.result
})
.progress(function(e){
    console.log('percent: ' + parseInt(100.0 * evt.loaded / evt.total, 10));
})
.success(function(data, status, headers, config){
    console.log(data);
})
.error(function(err){
    console.log(err);
});

Btw everything works fine if I do it with same domain stuff. Thank you.

[danialfarid]

Can you post here the request AND response content of the OPTIONS and POST requests for regular successful xhr and OPTIONS and POST for the upload?

[KevinTanjung]

Successful OPTIONS and POST request:
OPTIONS

**Request Headers**
OPTIONS /v1/location/country HTTP/1.1
Host: api.aurora.dev
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Access-Control-Request-Method: POST
Origin: https://aurora.dev
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36
Access-Control-Request-Headers: accept, authorization, content-type
Accept: */*
Referer: https://aurora.dev/art/submission/create
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6,zh-CN;q=0.4,zh;q=0.2

**Response Headers**
HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.14-1+deb.sury.org~trusty+1
Cache-Control: no-cache
Date: Mon, 08 Sep 2014 02:28:12 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://aurora.dev
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: authorization, x-auth-token, x-requested-with, content-type, accept, user-agent
Set-Cookie: aurora_session=eyJpdiI6IjBFbkxNTU5DWmVBMTNUMW5OeVwvMWV3PT0iLCJ2YWx1ZSI6IjVHamZ2eEtocEFJRjVMZWVFNEVWUFBsRnlFem9JaVwvRUROVkNVZWdjZzY0cHVHWHhRUWlibEg0WTBCWU5DZXdZNUIzckp1NkpuYlZhYjMxTmdUOUM4dz09IiwibWFjIjoiNzNkMDRhMTQzMDhiMmY0YWUxMGQ2ODcxNTVkNzBhMjk3YmQ0M2I0OTBjNDY1YzNkZGE4YTQ0OWU2MzQ1NjBjOCJ9; expires=Mon, 08-Sep-2014 04:28:12 GMT; Max-Age=7200; path=/; domain=.aurora.dev; secure; httponly
Content-Encoding: gzip

POST

**Request Headers**
POST /v1/location/country HTTP/1.1
Host: api.aurora.dev
Connection: keep-alive
Content-Length: 2
Cache-Control: no-cache
Pragma: no-cache
Origin: https://aurora.dev
Authorization: Bearer iMBKSeuIZHfPRvI7GYBZOMfHrWh6AsToNVZKz8h5
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
Referer: https://aurora.dev/art/submission/create
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6,zh-CN;q=0.4,zh;q=0.2
Cookie: GUEST_COOKIE=eyJpdiI6IkVidTRiSHN6R3RuaHhQWDdvY3dRUnc9PSIsInZhbHVlIjoiRmk4UGhhUU41N1JtUGhCWndnXC9SNDdNVzJIVXFnR3lKM3E3M1dGS3gweitXN0VUN0dGRTRaU1dFUmx0MTl6aGxITFoydlFqTVRVcnVxeXp5K29LeGZ3PT0iLCJtYWMiOiI2MWQ1OTNmMDAzZjllNTBiM2JjOWRhNWE2NmZlYzRiZmNmZGVlZTA5M2MwMTIzNWRmNTA3NDQ4N2E1NDg0ZTMzIn0%3D; remember_82e5d2c56bdd0811318f0cf078b78bfc=eyJpdiI6IlZKWmlsb0JwZUl1SUNKcFlDbzZUclE9PSIsInZhbHVlIjoiZ3pcL0FlXC9vWTFnOGZXYXJFOEE0ck01RnhMenFyY0dBb1JiK05WOFFwWno3OWFVSWp5aHk2cVlMUXJENWg4Z3NQemxBaVJcL3pMczgrYk90a3JrM3M1VW9RbTJ3OEdrXC91VmJLaTZtTUk4UFprPSIsIm1hYyI6ImM1NmM0MmNkZmE5MDkxZTBiMTc3MmFiMjg0NmRlYzViNDBiNWJiZDQ5MjE5MTdjYmE5NTA3ZGUxMjE2ZjgyNzQifQ%3D%3D; aurora_session=eyJpdiI6IkNia0NkVlQ5TFNrdXkzalVNRnBGRXc9PSIsInZhbHVlIjoiTnpRXC9LUFJQUFd2OE1ROXRrQ2phQTVaWTM5ZllWZUduYmZqSTJcLzAzODZTQXJSS3NISUlNMm9tUUZOVHJiaUFNNEF6ODgzY0p5UlpIMmtRYVU0MjN2QT09IiwibWFjIjoiZmY2ODIyMzJhNWE0OTczZTYzMzJhNzJmODg2NDk1MzZmYzE1NzJmNTVkNGQwOGRkZjFiNjJjY2Y4YmJhNGU5MSJ9

**Response Headers**
HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.14-1+deb.sury.org~trusty+1
Cache-Control: no-cache
Date: Mon, 08 Sep 2014 02:28:13 GMT
Access-Control-Allow-Origin: https://aurora.dev
Vary: Origin
Access-Control-Allow-Credentials: true
phpdebugbar-id: 2adf0abeb9e7cea73d743850427212f0
Set-Cookie: aurora_session=eyJpdiI6Ik9oT0lUakk5d3dyTDRTTXdPYjFLVWc9PSIsInZhbHVlIjoiVDJHXC9iTUNaaFFaMlNGUVwvSmxRY3dMSDlWS0REZkxiQnBxNHJhdW9CVXdibVQyOXZrckZOakVUbHZuV25SXC9mTGRJeFFKTlVTVzdFZEhnRmcxXC9zVW5BPT0iLCJtYWMiOiI5NTZhN2ZjNGMzNjgzODJmNWVkMWFkMDFmY2YxOTUzZmEyMmQyYmI3MjI2NjRjZDNlMWNjZmQyYWNmYWUwOGYzIn0%3D; expires=Mon, 08-Sep-2014 04:28:13 GMT; Max-Age=7200; path=/; domain=.aurora.dev; secure; httponly

Failed Upload POST request (successful OPTIONS)
OPTIONS

**Request Headers**
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,id;q=0.6,zh-CN;q=0.4,zh;q=0.2
Access-Control-Request-Headers:accept, authorization, content-type
Access-Control-Request-Method:POST
Cache-Control:no-cache
Connection:keep-alive
Host:api.aurora.dev
Origin:https://aurora.dev
Pragma:no-cache
Referer:https://aurora.dev/art/submission/create
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36

**Response Headers**
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:authorization, x-auth-token, x-requested-with, content-type, accept, user-agent
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:https://aurora.dev
Cache-Control:no-cache
Connection:keep-alive
Content-Encoding:gzip
Content-Type:text/html
Date:Mon, 08 Sep 2014 03:02:59 GMT
Server:nginx/1.4.6 (Ubuntu)
Set-Cookie:aurora_session=eyJpdiI6InBsdFBPeVRzS3NBMGJRZnBwemdVWWc9PSIsInZhbHVlIjoiWUxPZmc0QmpaUnRMd1BEeWNcL25kc1wvY1lsWnEraElOWjlIbk41QU42ZVZzZE5GdTErbDM2OEI5VTZwekZCM0huMGFDM3NUUXlTcE5Ec2NUYlh6MkI4QT09IiwibWFjIjoiN2QwMWE1MjllZDZkNDcxOGFiYzgzNjhmNTYyYTc0ZjFlMmU4NDllOTU1ZWYzZDMzZTY2MTlmMGQyOTA1YmY0NSJ9; expires=Mon, 08-Sep-2014 05:02:59 GMT; Max-Age=7200; path=/; domain=.aurora.dev; secure; httponly
Transfer-Encoding:chunked
X-Powered-By:PHP/5.5.14-1+deb.sury.org~trusty+1

Somehow I try to recreate the issue, it resolves itself... I don't know how. Before I change my code to try to upload it to same-origin so that I can continue my development, and everything works fine. Now I revert to the old issue, but somehow everything works. Well I guess thanks then.

But just for my own knowledge, is there any differences between the POST request of a normal form and multipart encoded form? Could it create this kind of issue like before?

[danialfarid]

No it should be the same as normal xhr. The only restriction is IE8-9 flash polyfill which does not allow custom headers so you need to find another way to send the auth headers within the request.

[KevinTanjung]

Is 'Authorization' header for Bearer token counted as a custom header?

[danialfarid]

Yep, you cannot set header: {} in the config for IE8-9.
You can find workarounds here:
#111 (comment)

[danialfarid]

You would also need crsoodomain.xml file on your server. Read the readme file CORS and server section.

[KevinTanjung]

Okay thanks a lot, @danialfarid . I'll take a look at it and I will let you know if there seems to be any other issue.

[danialfarid]

Please open separate issue since this issue is working for you now.