Facing a CORS ERROR in local server - php

I'm sending a post request with XMLHttpRequest to my other domain in local but I get the CORS error below:
Failed to load http://another.local/: The 'Access-Control-Allow-Origin' header contains multiple values '*, http://example.local', but only one is allowed. Origin 'http://example.local' is therefore not allowed access.
I had set header in PHP as below:
<?php
header("Access-Control-Allow-Origin: *",false); //header("Access-Control-Allow-Origin: *");
header('Access-Control-Allow-Methods: POST, GET');
header("Access-Control-Allow-Credentials: true");
header('Access-Control-Max-Age: 1000');
header("Content-type:application/json");
readfile('data.json');
Despite setting the header, I'm still getting the CORS error; what am I doing wrong and how can I fix it?

You can try setting header('Access-Control-Allow-Origin: *');
And also check whether you have the same header twice

Finally, I fix this problem.
I use Laragon for PHP development and I don't know its Laragon configuration or apache that by default they set this in the config file:
Header always set Access-Control-Allow-Origin "*"
and this makes conflicts with headers that I set in PHP. I comment it and can set headers with no problems.
thanks to #Thamaraiselvam & #rahul-mukherjee for helping me.

You can try with
header('Access-Control-Allow-Origin: http://example.local', false);
if you have not set the http methods you can use :
header("Access-Control-Allow-Credentials: true");
header('Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS');
header('Access-Control-Max-Age: 1000');
header("Access-Control-Allow-Headers: ACCEPT, CONTENT-TYPE, X-CSRF-TOKEN");
Note: please change the values as per your requirement:

Related

CORS error in PHP server, even though 'header('Access-Control-Allow-Origin: *')' is present

I got a simple PHP server running on my local. I send requests from frontend to the PHP server. But I get CORS error even though 'header('Access-Control-Allow-Origin: *')' is present on the PHP file.
Frontend runs on 8080 port and PHP server runs on 3000 port.
Here is the error I get
Access to XMLHttpRequest at 'http://localhost:3000/' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
And these lines are at the top of the PHP file
header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Credentials: true");
header('Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS');
header('Access-Control-Max-Age: 1000');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token , Authorization');
Any idea why?

Preflight Request fails CORS (does not have HTTP Request OK status ) when response code isn't hardcoded

I am using a simple PHP backend and Angular frontend. I was having trouble with CORS. I have set proper headers and still faced CORS block. I tried a lot of things and noticed the following.
Since I expected a lot of PHP files I wanted uniformity among the responses. So, I created a PHP file called httpHelper.php and added a function that would set headers, response status code, and return the response.
The following is the httpHelper.php
<?php
function json_response($code = 200, $message = null)
{
header_remove();
http_response_code($code);
header('Content-Type: application/json');
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
return "{ \"detail\":". $message."}";
}
The call to this function would be made from another PHP file that would be like,
echo json_response(200, json_encode(FALSE));
I was faced with the CORS block..
Access to XMLHttpRequest at
'http://localhost:8080/checkFeedbackStatus.php' from origin
'http://localhost:4200' has been blocked by CORS policy: Response to
preflight request doesn't pass access control check: It does not have
HTTP ok status.
But when the same httpHelper.php was coded with a constant status code, I have no issue.
<?php
function json_response($code = 200, $message = null)
{
header_remove();
http_response_code(200);
header('Content-Type: application/json');
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
return "{ \"detail\":". $message."}";
}
I would like to know what I am missing, where things are getting messed up.
By the way, The request type was HTTP POST
It will not work until you use actual domain, it is currently against the CORS headers.
there may be several ways to make it work but i know only 2 of them.
Using Proxy in Xampp
Using Ngrok, this will provide you public domain to loopback on localhost.
If you are using xampp, you can edit httpd.conf and add a proxy at the end of the file and restart the apache service
ProxyPass /checkStatus http://localhost:8080/checkFeedbackStatus.php
ProxyPassReverse /checkStatus http://localhost:8080/checkFeedbackStatus.php
For Ngrok you can read the docs here
Once you setup ngrok, you can use any port to use ngrok as a public domain
ngrok http 8080

I am getting CORS errors despite setting PHP headers and .htaccess file

I have had a lot of success securely allowing CORS but I have tried with another page and it's not working. I hope someone can tell me what I'm missing. I know that * is insecure, but I'm trying that just to eliminate the site name as a variable.
.htaccess file
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
and the top of my php file:
// Allow from any origin just for testing...
if (isset($_SERVER['HTTP_ORIGIN'])) {
// in production, no *, but using my real domain
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
}
// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
}
When accessing the php file with an ajax request, I receive:
Access to XMLHttpRequest at 'https://sitename.000webhostapp.com/' from origin 'https://samesitename.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
It works in Postman. Here is header info:
Date →Mon, 29 Apr 2019 18:50:03 GMT
Content-Type →text/html; charset=UTF-8
Transfer-Encoding →chunked
Connection →keep-alive
Access-Control-Allow-Origin →*
Access-Control-Allow-Headers →origin, x-requested-with, content-type
Access-Control-Allow-Methods →PUT, GET, POST, DELETE, OPTIONS
Server →awex
X-Xss-Protection →1; mode=block
X-Content-Type-Options →nosniff
X-Request-ID →18341eb6e5c7e5f483d8dd3a3a492b9c
Content-Encoding →gzip
The bigger story is that I'm hosting the main site on firebase which doesn't support PHP, so I put the php files on 000webhostapp.com as a workaround.
In case anyone comes across this post with a similar issue, my resolution was to double check the url!!!
I posted that I was checking
https://sitename.000webhostapp.com/
when I was supposed to reference
https://sitename.000webhostapp.com/php/mail.php
Thanks to #Phil and #emix for forcing me to check the details.

CORS error in angularjs + PHP application

I'm working on AngularJS and PHP application. When I try to run the index.html page, its throwing this error,
MLHttpRequest cannot load http://...... No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost' is therefore not allowed access.
The response had HTTP status code 500.
Working on LAMP.
I know I need to include the header files. But where should I include it? Should I include it in config.php where I had definded my database? If not then where??
You are missing CORS settings on your PHP headers, try adding following:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Request-With');
header('Access-Control-Allow-Credentials: true');
Set header:
header('Access-Control-Allow-Origin: http://example.com', false);

header('Access-Control-Allow-Origin: *'); Not allowing CORS request

I have a PHP file which generates a JSON document.
I've set the header as follows but am still getting an error.
header('Access-Control-Allow-Origin: *');
header('Content-Type: application/json');
Error message:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://mysubdomain.mydomain.com' is therefore not allowed access.
I've tried explictly allowing mysubdomain.mydomain.com using
header('Access-Control-Allow-Origin: https://mysubdomain.mydomain.com');
But I still get the error.
It doesn't look there is anything wrong with the code that sets the header, but you may want to check if the header is actually being set. Use curl -i http://yourapp to check the response headers being sent to debug it. Alternatively, you can use the network tab in Google Chrome's web inspector, or the Network tool in Firefox's Web Developer tools.
with htaccess file you can try to set :
Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH,DELETE"
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "content-type,Authorization,Cache-Control,X-Requested-With, X-XSRF-TOKEN"
Or with PHP:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: Authorization, Content-Type, x-xsrf-token, x_csrftoken, Cache-Control, X-Requested-With');
Such a situation may arise when an error occurs on the requested page. In this case the error page sets headers, that likely has no Access-Control-Allow-Origin header.

Categories