This case appears because Chrome and Safari are sending the Origin
header on same origin PUT, DELETE & POST requests.
On the other side, Firefox does not send the Origin header on same
origin requests. As the Keycloak team explained to me,
in most JS/HTML apps you'd add origin part of the base url as web origin
in the application's settings through the Keycloak administration
console.
However, this does not apply to non-js based app and that's why the base
url is not automatically considered as web origin.
Request Method:POST
Request Headersview source
Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,el;q=0.6
Connection:keep-alive
Content-Length:15
Content-Type:application/json
Cookie:JSESSIONID=Tw9NmJjHUlRO6JnimwyzS1w3.undefined
Host:agpushkeycloak-mobileqa.rhcloud.com
Origin:http://agpushkeycloak-mobileqa.rhcloud.com
Referer:http://agpushkeycloak-mobileqa.rhcloud.com/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/31.0.1650.63 Safari/537.36
X-Requested-With:XMLHttpRequest
On Tue, 2014-02-04 at 18:13 +0100, Karel Piwko wrote:
* Ember in UPS is firing AJAX request to REST Endpoints on the same
domain.
However, as it goes through Keycloak Auth Server, this is considered CORS
request. I had to configure Web Origin for UPS application. This is
confusing to me, Origin header should be transparent for Keycloak as I'm
firing request to the same domain. Note this does not happen in Firefox,
which identifies same domain and avoids Origin header. I need some insight
here from more skilled people.