Cloud File Storage for App


I am trying (and failing) to connect to my OwnCloud from the Angular application I am developing. I have tried whitelisting my deployment domain(s), and I have given my app an individual token to use in authentication, but I’m not getting past CORS.

const output = new HttpHeaders();
output.append(‘Accept’, ‘application/myApp’);
output.append(‘Authorization’, 'Bearer myUserName:myAppToken);
const Options = {headers: output};
this.client.request(‘PROPFIND’, ‘http://MyWebDavPath/’, Options).subscribe(res => {

Can anyone tell me what I’m doing wrong, or if I’m even close to the right track?

I think you have to add an Origin header, if you want so access with a self written app. Had a similar problem some time ago. Maybe the same applies here.

thanks, but this didn’t do it. I attempted with all whitelisted domain names, and with the server IP the app is deployed on (after whitelisting that, too), to no avail

EDIT: Found a solution to the CORS-Problem, but I still can’t authenticate. I used Basic ${btoa(myUsername:myPassword)} as in the http headers documentation. Is this server using a different authentication method, or is there something I’m still missing?

For the CORS-Problem, I had to append /config/config-php with " ‘cors.allowed-domains’ => [http***myDomain.mdex] ", the entry’s in the GUI don’t do jack

I think you have to add an Origin header, if you want so access with a self written app. Had a similar problem some time ago. Maybe the same applies here.

Notes-API: Cross-Origin Request Blocked Server-Apps

I repeated the tests. Server: localhost Client: localhost, Firefox with unmodified webextension from AMO It fails with the unmodified code, with the well-known message (console). Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http***localhost/owncloud/index.php/apps/notes/api/v0.2/notes?exclude=content. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). But if you add the value of the origin value, in my case moz-extension***24e15b4…

Maybe you should consider to post more details.

sorry about the lack of details, I’m still rather new to JavaScript and php, and I’m not even entirely sure what is relevant in this context, and how exactly to talk about it. Maybe you’ve seen my Edit of my response to your answer, I did a bit more explaining and hope you can make more sense of it

Well, they do, at least they did the last time I was using is. But the input must be a valid URL.

Could be interesting for others as well.

yes, the UI only accepts valid and specific domain adresses. But when I found and downloaded the config.php, I found that there was no entry ‘cors.allowed-domains’, which I then created myself. After uploading my adjusted config.php, I didn’t get the CORS-reject Error response anymore.

Config.php can be reached via ftp on the server you are running your openCloud application on, in the case of my server (


open with editor, looks like this:

$CONFIG = array (
  'instanceid' => 'aninstanceid',
  'passwordsalt' => 'apassword',
  'secret' => 'asecret',
  !!!'cors.allowed-domains' => [
  'trusted_domains' => 
  array (
    0 => '',
  'datadirectory' => '/var/www/datadirectory/path',
  'overwrite.cli.url' => '',
  'dbtype' => 'sqlite3',
  'version' => '',
  'logtimezone' => 'UTC',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/ownCloud/path',
      'url' => '/apps',
      'writable' => false,
    1 => 
    array (
      'path' => '/var/www/externalapps/path',
      'url' => '/apps-external',
      'writable' => true,
  'installed' => true,

I edited some stuff so my data can’t be glanced. the section that is enclosed by !!! is what needs to be edited in with the appropriate data, and then uploaded to it’s source location (ftp is easiest imho, also assuming you’re an admin)


I’ve been combing the documentation, and I can’t find any information on how to handle my authorization header. I’ve also been scouring the git pages for the android client to see how it was handled there, but I can’t really make any sense of it, or at least find out what I’m doing wrong. If I can’t get this up and running, I am screwed

Something like this?

headers = {
      Authorization: 'Basic ' + btoa(`${res.username}:${res.password}`),
      'Content-Type': 'application/json'

Idk what changed, but now it’s accepting my request. Thanks!

Glad to hear that it works.

Now you should care about your CORS-issue. Adding “everything” to
cors.allowed-domains cannot be a real solution.


that’s just a list of example domains. I only allow my deployment site(s) access. I guess if someone spoofed my domain that wouldn’t be so good, but as far as I checked, the origins header is ignored on my server

OK, I see. This is another strategy.

@NickV I can’t thank you enough for posting the solution. I honestly was about to give up on ownCloud. They should pay you.