You need to configure the server to not require authorization for OPTIONS requests (that is, the server the request is being sent to — not the one serving your frontend code).
That’s because what’s happening is this:
- Your code tells your browser it wants to send a request with the
Authorizationheader. - Your browser says, OK, requests with the
Authorizationheader require me to do a CORS preflightOPTIONSto ensure the server allows requests with theAuthorizationheader. - Your browser sends the
OPTIONSrequest without theAuthorizationheader, because the whole purpose of theOPTIONScheck is to see if it’s OK to include that header. - Your server sees the
OPTIONSrequest but rejects it with a 401 since it lacks the header. - Your browser expects a 200 or 204 response for the CORS preflight but instead gets that 401. So your browser stops right there and never tries the
POSTrequest from your code.
Further details:
The Access-Control-Request-Headers and Access-Control-Request-Method request headers show in the question indicate the browser’s doing a CORS preflight OPTIONS request.
And the presence of the Authorization and Content-Type: application/json request headers in your request are what trigger your browser do that CORS preflight — by sending an OPTIONS request to the server before trying the POST request in your code. And because that OPTIONS preflight fails, the browser stops right there and never attempts the POST.
So you must figure out what part of the server-side code on the server the request is being sent to causes it to require authorization for OPTIONS requests, and change that so it instead responds to OPTIONS with a 200 or 204 success response without requiring authorization.
For specific help on OPTIONS-enabling a Spring server in particular, see the following answers:
- Disable Spring Security for OPTIONS Http Method
- Spring CorsFilter does not seem to work still receiving a 401 on preflight requests
- Response for preflight has invalid HTTP status code 401 – Spring
- AngularJS & Spring Security with ROLE_ANONYMOUS still returns 401