I have an api with php implemented for login authenrication:
http://somerestsertver.net/sampleapi/auth-login this sets the login session id (e.g. after verifying user credentials)
http://somerestsertver.net/sampleapi/auth-check this checks the login is valid if the session id is set or not
http://somerestsertver.net/sampleapi/auth-logout and this destroys the session and needed logout ...
I set login with $_SESSION["id"]=1 when auth-login in the code
then auht-check would be ok, otherwise the auth-check would contain errors.
it is ok when I call these urls in browser or a ReST Client,
but using them in my angularJS code returns errors for http://somerestsertver.net/sampleapi/auth-check!
it seems the session set is not available via PHPSESSID in the client and it is not working properly
Is it related to sandbox or CORS or html header requests?
Hi I solved the problem finally this way:
Client side, in angularJS I put this in my route-config to apply for all request to ReST-API
$httpProvider.defaults.withCredentials = true;
I think I should have mainly use in .htaccess for web server:
Header add Access-Control-Allow-Credentials "true"
but for your attention, I updated finally the whole .htaccess file to the following:
Header add Access-Control-Allow-Origin "http://localhost:3000"
Header add Access-Control-Allow-Credentials "true"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "GET, POST"
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch "index[0-9]?\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
also I use the following for JSON response in php:
$response="desired JSON response OBJECT";
$status='OK or unauthenticated or ...' ;
$status='200 or 403 or ...';
header("Content-Type:application/json");
header("HTTP/1.1 $status $status_message");
echo json_encode($response);
exit();
Hope this question and answer helps you
Related
I am trying to send some requests from my angular app to my local xampp server, but the requests are blocked due to CORS Policy.
I have already added following line to the httpd.conf file:
Header set Access-Control-Allow-Origin *
I have also added an .htaccess file to my htdocs folder with following content:
Header set Access-Control-Allow-Origin *
I have also added this to my php file:header("Access-Control-Allow-Origin: *"); but this had no impact as well.
My angular app runs on localhost:4200 and the xampp runs on localhost:80
I know allowing every origin is a great security issue, but it is only for testing purpose.
I think you need a few more headers from your server side, namely Access-Control-Allow-Methods and Access-Control-Allow-Headers.
header("Access-Control-Allow-Origin: http://localhost:4200");
header("Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS");
header("Access-Control-Allow-Headers:*");
Try modifying your http.conf like this
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
I am testing rest api in SugarCRM. In order to use crm rest api, I added :
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
to .htaccess file and rebuilt .htaccess File. However, it did not give me solution. I am still getting error message with the following content:
XMLHttpRequest cannot load http://test.crm.loc/custom/clients/base/api/get_account.php. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
How can I fix it?
I found the answer. I put following code to the top of rest api code file:
header('Access-Control-Allow-Origin: *');
It worked for me.
And not understand how fix this problem, web server - apache...
for example:
link.com - all good
sub.link.com - not good, in console error
Font from origin 'link.com' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'sub.link.com' is therefore not allowed access.
i tried add in .htaccess
<IfModule mod_headers.c>
<FilesMatch "\.(svg|ttf|otf|eot|woff|woff2|css)$">
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials true
</FilesMatch>
</IfModule>
after this remove and add this
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
and without .htaccess, I tried add in index.php
header("Access-Control-Allow-Origin: *");
BUT NOT WORKING! I think this problem due to because CSS fots files use like
...
src:url('icons/fonts/journal-icons.eot');
src:url('icons/fonts/journal-icons.eot?#iefix') format('embedded-opentype'),
...
but I do not understand what I need to do to fix this problem??? (It looked similar questions but did not help)
There's a very clear error message in the Chrome javascript console:
Font from origin 'http://www.mss.partneris.net' has been blocked from loading
by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin
'http://www.test.mss.partneris.net' is therefore not allowed access.
Add:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
to your apache configuration for http://www.mss.partneris.net domain, restart apache, and go to http://www.mss.partneris.net/catalog/view/theme/journal2/css/icons/fonts/journal-icons.woff in your browser or using curl, and see that it has Access-Control-Allow-Origin: * response header. When it does, try again in the browser, and hopefully it will all work well.
I have a PHP application where I conditionally set the Access-Control-Allow-Origin header. I see the change reflected on my local setup and on the dev environment, but on the live site, the header is set as something else. The other headers that I set along with it keep their values, so it leads me to believe that the Access-Control-Allow-Origin header is being overwritten somewhere else.
I've checked the .htaccess files in my project and the apache virtual host configuration file for possible places the header could be overwritten. It was being set in the virtual host config file, but I commented it out and restarted apache, but the header is still being overwritten.
Is there any other place that I can check to see if the header is being overwritten?
Thanks in advance for your help!
Here is the requested PHP code snippet:
$origin=$front->getRequest()->getHeader('Origin');
if($origin && (preg_match('/http[s]{0,1}:\/\/' . $front->getRequest()->getHttpHost() . '$/', $origin))){
$front->getResponse()->setHeader('Access-Control-Allow-Origin', $origin);
$front->getResponse()->setHeader('Access-Control-Allow-Credentials', 'true');
}else{
//leave current value if there is no match
$front->getResponse()->setHeader('Access-Control-Allow-Origin', '*');
}
I'm pretty sure the header is being overwritten by something else because I can see the Access-Control-Allow-Credentials:true come through as expected, but Access-Control-Allow-Origin has a value of *.
I did some more digging and found this link to do the same in the .htaccess. I ended up adding the following:
SetEnvIf Origin "^http(s)?://(.+\.)?(www.example.com)$" origin_is=$0
Header set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Header set Access-Control-Allow-Credentials true env=origin_is
You can set header from htaccess:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
Or from PHP:
header("access-control-allow-origin: *");
You can use:
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
to apply htaccess header for specified files.
I tried since 5 days to configure correctly CORS to solve the error :
So I tried to add :
header('Access-Control-Allow-Origin: *');
On my webservice (on the same server but different domain name), I got this error :
Request header field Authorization is not allowed by Access-Control-Allow-Headers
Then I tried to add :
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
To a .htaccess file that I created.
But still doesn't work.
Any idea ?
Thanks a lot in advance.
You must include an Access-Control-Allow-Headers header in your response with the proper acceptable header names, just as the error message suggests. It sounds like you do not know how to properly handle CORS requests. Please read this document on MDN, which explains how to handle CORS requests. This will answer all of your questions.