Update: This is a bug in GoogleDrive, CORS is not enabled for upload URIs. @Nivco pointed me to a work around with Google’s client library which uses an iframe and a proxy (not CORS). I’m putting the (tested) working code at the bottom, along with a detailed explanation. Please see the answer, below for the example.
Inserting File to Google Drive through API and Authorization of Google Drive using JavaScript say that the upload endpoints support CORS, but I haven’t been able to use them. I can get authorization and insert an empty file, using Files: insert, but I can’t upload content to it — I get a 405 (Method not allowed) error when I use https://www.googleapis.com/upload/drive/v2/files when I use either of the two techniques given in the example in the inserting file stack overflow post.
Is it possible that CORS worked for v1 and hasn’t been enabled for v2?
EDIT: By the way, the 405 error is on the OPTIONS request that chrome is making.
EDIT: Here’s the code from one of my attempts:
Before I present the code I want to highlight that I am able to authenticate and list files. I just can’t upload data to a file.
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://www.googleapis.com/upload/drive/v2/files?uploadType=multipart');
xhr.setRequestHeader('Authorization', 'Bearer ' + params.access_token);
xhr.setRequestHeader("Content-Type", 'multipart/related; boundary="END_OF_PART"');
xhr.onreadystatechange = function(data) {
if (xhr.readyState == DONE) {
document.getElementById("files").innerHTML = "Uploaded file: " + xhr.responseText;
};
}
xhr.send([
mimePart("END_OF_PART", "application/json", json),
mimePart("END_OF_PART", "text/plain", "a\nb\n"),
"\r\n--END_OF_PART--\r\n",
].join(''));
function mimePart(boundary, mimeType, content) {
return [
"\r\n--", boundary, "\r\n",
"Content-Type: ", mimeType, "\r\n",
"Content-Length: ", content.length, "\r\n",
"\r\n",
content,
].join('');
}
Here is the request:
Request URL:https://www.googleapis.com/upload/drive/v2/files?uploadType=multipart
Request Method:OPTIONS
Here is the response:
Status Code:405 Method Not Allowed
cache-control:no-cache, no-store, must-revalidate
content-length:0
content-type:text/html; charset=UTF-8
date:Mon, 23 Jul 2012 22:41:29 GMT
expires:Fri, 01 Jan 1990 00:00:00 GMT
pragma:no-cache
server:HTTP Upload Server Built on Jul 17 2012 16:15:04 (1342566904)
status:405 Method Not Allowed
version:HTTP/1.1
There is no response, because Chrome gets a 405 error for that OPTIONS request. There is no POST, because Chrome can’t proceed, since its OPTIONS request failed with a 405, and so it prints this error in the console:
XMLHttpRequest cannot load https://www.googleapis.com/upload/drive/v2/files?uploadType=multipart. Origin https://leisurestorage.appspot.com is not allowed by Access-Control-Allow-Origin.
This answer (and in fact the question itself) is now redundant given full CORS support as confirmed by Steve Bazyl
Working code, using @Nivco’s help, along with detailed explanation:
Here is the working code for a full test of this technique. To use this, you need to make two pages. The first page authenticates and launches the second page, which is your actual app. In order to be able to access the Google Drive API to upload a file, you need to register an app, which is described here.
Your first page will use OAuth, which is described in this Stackoverflow answer. It calls your app with a fragment that looks like this:
In JavaScript, you can access that fragment with
location.hash. After you save the value, it’s a good idea to setlocation.hashto the empty string right away, so that it doesn’t show up in the browser’s location bar. Your app needs to use the value of access_token from the fragment in its CORS requests and also in the proxied (non-CORS) request to the upload API. Here is an example launch page, which is really just a version of the code from OAuth example:Here is an example app that uploads
a\na\b\nto a file calledleisureUploadin your GoogleDrive, using Google’s Client Library for JavaScript. There is no need to use any of the gapi.auth methods, because it uses a raw gapi.client.request() call with the Authorization header directly in the call, just like it would with xmlHttpRequest() using CORS: