Start a new topic

Full API CORS Support

In order to make a http-request from a browser to the LaMetric API directly, the API needs to support cross domain requests.

Currently the LaMetric API is able to answer OPTIONS-Requests (preflight requests) with an "Access-Control-Allow-Origin: *" and "Access-Control-Allow-Headers: *" header. This is enough to make GET and POST requests without restrictions. But for PUT requests, an additional "Access-Control-Allow-Methods: *" header is required.

Example JavaScript-Snippet:


var changeAudioVolume = function(volume) {
            var xmlhttp = new XMLHttpRequest();
  "PUT", "http://" + config.ip + ":" + config.port + "/api/v2/device/audio");
            xmlhttp.setRequestHeader("Authorization", "Basic " + btoa(config.username + ":" + config.password));
            xmlhttp.setRequestHeader("Content-Type", "application/json");
            xmlhttp.send(JSON.stringify({ volume }));


CORS preflight request (initiated from the browser):


Expected response for full CORS Support:

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: *

Access-Control-Allow-Methods: *

Current response:

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: *

The browser refuses to execute the request because of the missing preflight response header.


The behavior is the same in Chrome and Firefox.


Login or Signup to post a comment