CORS error when using HttpRequest.getString(url)


The whole application is built with Angular 2 for Dart.

At one place I have a service with a really naive HttpRequest.getString() call with no special parameters or anything.

String response =  await HttpRequest.getString(url);

On the server side there is a WordPress installation with WP-API running.

It seems, that Dart is creating a new response header for the currently loaded hostname somehow, because I get this error:

XMLHttpRequest cannot load http://my-wordpress/wp-json/wp/v2/pages.

The ‘Access-Control-Allow-Origin’ header contains multiple values ‘http://localhost:8080, *’, but only one is allowed. Origin ‘http://localhost:8080‘ is therefore not allowed access.

I don’t get the same result with Postman, though:

enter image description here

From what I could read out of the source code, Dart itself concatenates duplicate headers into just one, but I couldn’t find any information on that extra CORS header.


I could fix it by commenting out WordPress specific REST-API code.
In the folder wp-includes there is a file called rest-api.php.

On line 376 upwards you see something like this:

header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
header( 'Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE' );
header( 'Access-Control-Allow-Credentials: true' );

This seems to allow the host of the request to access the API. But since I’m already adding * as Origin, this will fail. So I just commented that code block out and everything works fine now.

Answered By – rinukkusu

Answer Checked By – Senaida (FlutterFixes Volunteer)

Leave a Reply

Your email address will not be published. Required fields are marked *