CORS Problem with Namespace and Dropbox-API-Path-Root header

AlemoDaniel · ‎06-05-2018

Trying to list team root folders using this request from the namespace guide:

curl -X POST https://api.dropboxapi.com/2/files/list_folder \
--header "Authorization: Bearer <token>" \
--header "Content-Type: application/json" \
--header 'Dropbox-API-Path-Root: {".tag": "root", "root":"<namespace_id>"}' \
--data '{"path":""}'

This works from the console. However, when using inside a Browser using xhr, i am running into a CORS problem:

Failed to load https://api.dropboxapi.com/2/files/list_folder:
 Response to preflight request doesn't pass access control check:
 No 'Access-Control-Allow-Origin' header is present on the requested resource.
 Origin 'http://localhost:7331' is therefore not allowed access.
 The response had HTTP status code 400.

The request will work for any other folders, it seems the problem lies within the custom header (Dropbox-API-Path-Root)

Is there any way to solve this? Thank you in advance 🙂

AlemoDaniel · ‎06-05-2018

So i found that this works:

curl -X POST https://api.dropboxapi.com/2/files/list_folder?path_root={".tag": "root", "root":"<namespace_id>"} \
--header "Authorization: Bearer <token>" \
--header "Content-Type: application/json" \
--data '{"path":""}'

I didn't find this specific implementation documented anywhere, but rather derived from section Browser-based JavaScript and CORS pre-flight requests from the documentation:

Use URL parameters arg and authorization instead of HTTP headers Dropbox-API-Argand Authorization.

I think it would still be cool, if Dropbox-API-Path-Root would be added to allowed headers. Currently this is the response i get:

Access-Control-Allow-Headers: Origin, Accept-Language, Content-Language, Cache-Control,
     Dropbox-API-Select-User, Accept, Range, Referer, Dropbox-API-Arg, If-Modified-Since, 
     If-None-Match, Content-Type, Dropbox-API-User-Locale, Authorization

As you see, Dropbox-API-Arg is already supported, so there is no need to work around the preflight request

View solution in original post

Greg-DB · ‎06-07-2018

These headers have been added, so this should work now. Hope this helps!

View solution in original post

AlemoDaniel · ‎06-05-2018

So i found that this works:

curl -X POST https://api.dropboxapi.com/2/files/list_folder?path_root={".tag": "root", "root":"<namespace_id>"} \
--header "Authorization: Bearer <token>" \
--header "Content-Type: application/json" \
--data '{"path":""}'

I didn't find this specific implementation documented anywhere, but rather derived from section Browser-based JavaScript and CORS pre-flight requests from the documentation:

Use URL parameters arg and authorization instead of HTTP headers Dropbox-API-Argand Authorization.

I think it would still be cool, if Dropbox-API-Path-Root would be added to allowed headers. Currently this is the response i get:

Access-Control-Allow-Headers: Origin, Accept-Language, Content-Language, Cache-Control,
     Dropbox-API-Select-User, Accept, Range, Referer, Dropbox-API-Arg, If-Modified-Since, 
     If-None-Match, Content-Type, Dropbox-API-User-Locale, Authorization

As you see, Dropbox-API-Arg is already supported, so there is no need to work around the preflight request

Greg-DB · ‎06-05-2018

Thanks for the report! I'll ask the team to update our CORS implementation to allow this.

AlemoDaniel · ‎06-05-2018

Thanks, that would be awesome. Also would be cool to have the url hacking documented a bit more detailed somewhere 🙂

Greg-DB · ‎06-06-2018

No problem, I'll ask the team to expand the documentation on this as well.

Greg-DB · ‎06-07-2018

These headers have been added, so this should work now. Hope this helps!

AlemoDaniel · ‎06-07-2018

Can confirm that it now works for CORS. Thanks for the quick adjustment!

CORS Problem with Namespace and Dropbox-API-Path-Root header

CORS Problem with Namespace and Dropbox-API-Path-Root header

Top contributors to this post