Hi, we are trying to integrate a web application with the salesforce rest API but we are having some CORS issues.

The domain is white listed in salesforce (currently testing on localhost), and all requests work fine if we send the OAuth token as a query param in the URL like this:

https://test.salesforce.com/id/XXXXXXXX/YYYYYYYY?oauth_token=access_token

But if we try to send the token using the Authorization Header instead of passing it in the URL, like this:

Authorization: Bearer access_token

It fails with a CORS error because the prefligh request to the same URL using the OPTIONS method returns a 403 with error "Missing OAuth token".
This happens because the browser omits the Authorization Header when doing the preflight request, this is actually documented in the CORS spec (https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0): "for a cross-origin request with preflight … make a preflight request … Exclude user credentials"

Is there any workaround for this?
Thanks for the help =)
 

Hi, we are trying to integrate a web application with the salesforce rest API but we are having some CORS issues.

The domain is white listed in salesforce (currently testing on localhost), and all requests work fine if we send the OAuth token as a query param in the URL like this:

https://test.salesforce.com/id/XXXXXXXX/YYYYYYYY?oauth_token=access_token

But if we try to send the token using the Authorization Header instead of passing it in the URL, like this:

Authorization: Bearer access_token

It fails with a CORS error because the prefligh request to the same URL using the OPTIONS method returns a 403 with error "Missing OAuth token".
This happens because the browser omits the Authorization Header when doing the preflight request, this is actually documented in the CORS spec (https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0): "for a cross-origin request with preflight … make a preflight request … Exclude user credentials"

Is there any workaround for this?
Thanks for the help =)