I have made one API application, and using jQuery ajax I am trying to get data from API. But I am getting error 401: Authorization Error. Later I found the header Authorization is not passing with request, so API cannot able to track it. Below is the code which I used for my application. Please help me...
PHP Code:
header("Access-Control-Allow-Orgin: *");
header("Access-Control-Allow-Methods: *");
header("Access-Control-Allow-Headers: Authorization, X-Requested-With, Content-Type");
header("Access-Control-Allow-Credentials: true");
jQuery Code:
$.ajax({
type: method,
url: url,
dataType: 'JSONP',
crossDomain: true,
headers: {'X-Requested-With': 'XMLHttpRequest'},
beforeSend: function (xhr){
xhr.setRequestHeader('Authorization', "Basic xxxx");
},
success: function (){
alert('Thanks for your comment!');
}
});
Related
So, I'm having a problem retrieving custom headers from ajax call.
This is my ajax call:
$.ajax({
url: 'api.php',
type: 'get',
processData: false,
beforeSend: function(xhr) {
xhr.setRequestHeader('HASH', '5c268592cd4db9c7f6b813bb689005c6');
},
success: function(data) {
console.log(data);
},
error: function(xhr, status, error) {
console.log(xhr);
}
});
And in my api.php, I have this:
<?php
$headers = getallheaders();
print_r(json_encode($headers));
the output:
......
"Access-Control-Request-Headers":"content-type,hash",
....
This returns null:
echo $headers['hash'];
// or this echo $headers['HASH'];
You are making a cross-origin request (you shouldn't be, since your code shows a relative URL, but perhaps there is an HTTP redirect in play somewhere) and adding custom headers.
This means that it is not a simple request, but requires a preflight OPTIONS request.
The output you see is the headers of the OPTIONS request asking permission from the server to send the request with the custom headers.
You need to grant that permission, then the browser will make a second request (which is the one you are expecting).
header("Access-Control-Allow-Origin: http://example.com/");
header("Access-Control-Allow-Headers: HASH, Content-Type");
header("Access-Control-Allow-Methods: GET");
Try this $_SERVER["HTTP_HASH"];
It is about a javascript pixel to follow up who does what in a sales funnel on the web.
I have a javascript script on my customer thrivecart domain (e.g. https://ownspace.thrivecart.com)
I want to make a request to another domain (e.g. https://emails.mycustomer.com) from which the javascript script is from.
Here is the main part of the javacsript code on https://ownspace.thrivecart.com :
$(document).ready(function () {
console.log("loading pixel");
$.ajax({
url: 'https://emails.mycustomer.com/server_side_script.php',
type: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest'},
data: {my:ciphered_get_parameters},
success: function (result) {
console.log(result);
}
});
});
Here is what I have server side for the moment : (server_side_script.php)
<?php
header('Content-Type:application/json');
header("Access-Control-Allow-Origin:https://ownspace.thrivecart.com");
header("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With, Accept");
// Special data treatment
I get this error on the thrivecart page :
Failed to load https://emails.mycustomer.com/server_side_script.php: Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers in preflight response.
However, I read that "
Access-Control-Allow-Headers :
Indicates which headers are supported by the response’s url for the purposes of the CORS protocol."
As the header is on in the PHP code, I don't understand why it does not work.
I even tried to set the X-Requested-With header in the response with NGINX conf file, restarting the server.
But, I think I miss a point.
Appears to be a typo in
header("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With, Accept");
Try
header("Access-Control-Allow-Headers:Content-Type, Authorization, X-Requested-With, Accept");
I am calling a remote php file via ajax via
$.ajax({
url: 'home.php',
type: 'POST',
data: formData,
crossOrigin: true,
async: true,
success: function (data) {
$("#home").trigger('reset');
console.log(data);
},
error: function (data, textStatus, jqXHR) { $("#home").trigger('reset');},
cache: false,
contentType: false,
processData: false
});
and this is the code in home.php
$url = 'http://api.example.com/post-data';
header("Location: $url", TRUE, 307);
return 'User Is Inserted';
I have this enabled
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
and i am able to call the url as i had hoped. However, on the client side i am getting this error
Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at http://api.example.com/post-data (Reason: CORS
header ‘Access-Control-Allow-Origin’ missing).
For the fix, i want to be able to suppress any errors returned by the redirect code
header("Location: $url", TRUE, 307); or manipulate the error returned.
Is there some way i can hide the error Cross-Origin Request Blocked:... from the client side developer panel?.
I am on shared hosting where the support team says that curl is enabled and that get_file_contents works but that's not the case. I am using php 7.
The php file
<?php
/**
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
*/
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
I am sending a POST request to a different domain like so in angular:
$http.post('http://domain.com/auth', { email: $scope.email, password: $scope.password })
And in my request logs, it was only sending an OPTION request.
So I added this to my domain.com/auth:
header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
header('Access-Control-Allow-Methods: GET, POST, PUT');
But now, I am getting an OPTION request first, and then a POST request. So because my OPTION request is first, I think it is still messing with my results.
Does anyone know how to only get the POST request and not the OPTIONS request?
You can prevent a preflight on POST by triggering a simple request
To achieve this, use $httpParamSerializerJQLike to encode your data (make sure to inject the serializer) and set the content-type to application/x-www-form-urlencoded:
$http({
url: 'YOUR_ENDPOINT',
method: 'POST',
data: $httpParamSerializerJQLike(YOUR_DATA),
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
}
})
I'd like to load a site from a different domain. I've already set headers through php in my header.php file:
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: *");
I've searched around for the correct way to do the ajax request with cross domain enabled and ended up with this:
$.ajax(
{
type: 'GET',
url: target,
processData: true,
data: {},
dataType: "json",
success: function (data)
{
$("#toolsarea").attr('src', target);
}
});
but I still get the error "No 'Access-Control-Allow-Origin". Is there still something I'm missing?
Your issue is related to Same origin policy which prevent JavaScript to make an AJAX request for security reasons.
You need to make sure CORS is enabled on your PHP server.
You can do it using:
<?php
header("Access-Control-Allow-Origin: *")
More information on how to enable CORS on your server can be found here:
http://enable-cors.org/server_php.html
You can read more about Same-origin policy on the client here:
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy