Michael -
Thanks for the pointer. Added all that and more:
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://api.flowdock.com/flows/pubnub/' + channel + '/messages', true);
xhr.setRequestHeader('Content-type', 'application/json');
xhr.setRequestHeader('Authorization','Basic redacted-token');
xhr.setRequestHeader("Access-Control-Allow-Credentials", "true");
// also tried following as 'support.pubnub.com'
xhr.setRequestHeader('Access-Control-Allow-Origin','https://support.pubnub.com');
xhr.setRequestHeader('Access-Control-Allow-Methods','POST,PUT,PATCH,DELETE,GET');
xhr.setRequestHeader('Access-Control-Allow-Headers','Origin, Accept, Content-type, Authorization, X-Auth-Token, X-CSRF-Token, X-Requested-With, X-Prototype-Version');
xhr.setRequestHeader('Access-Control-Request-Headers','Origin, Accept, Content-type, Authorization, X-Auth-Token, X-CSRF-Token, X-Requested-With, X-Prototype-Version');
...and now I get the following error:
4052:1643 Refused to set unsafe header "Access-Control-Request-Headers"
4052:1 Failed to load https://api.flowdock.com/flows/pubnub/CoE/messages: Request header field Access-Control-Allow-Origin is not allowed by Access-Control-Allow-Headers in preflight response.
Been searching the webs on this error and nothing seems to work. This SO post in particular:
express - Request header field Access-Control-Allow-Headers is not allowed by itself in preflight response - Stack Overf…
Even looked at the Access-Control-Request-Headers in the Network tab of Chrome Developer Tools and copy/pasted my Access-Control-Allow-Headers.
This is my full Headers content in the Chrome Developer tools (some values changed/redacted):
Request URL: https://api.flowdock.com/flows/pubnub/coe/messages
Request Method: OPTIONS
Status Code: 204 No Content
Remote Address: 107.re.dacted.137:443
Referrer Policy: no-referrer-when-downgrade
Access-Control-Allow-Headers: Origin, Accept, Content-type, Authorization, X-CSRF-Token, X-Requested-With, X-Prototype-Version
Access-Control-Allow-Methods: POST, PUT, PATCH, DELETE, GET, OPTIONS
Access-Control-Allow-Origin: https://support.pubnub.com
Access-Control-Expose-Headers: Link, Flowdock-User
Access-Control-Max-Age: 1728000
Cache-Control: no-cache
Date: Tue, 17 Apr 2018 17:30:57 GMT
Server: Apache
Status: 204 No Content
Strict-Transport-Security: max-age=31557600
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Request-Id: 9db7db25-de7f-4bb1
X-Runtime: 0.246123
X-Server-Id: 3c4883af3814755837
X-XSS-Protection: 1; mode=block
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: access-control-allow-credentials,access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,authorization,content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: api.flowdock.com
Origin: https://support.pubnub.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Do I have to get the response and set this in the response as per one of the answers in this post:
response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Credentials", "true"); response.setHeader("Access-Control-Allow-Methods", "GET,HEAD,OPTIONS,POST,PUT"); response.setHeader("Access-Control-Allow-Headers", "Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
Appreciate any insights.