I am trying to load data into a jQuery dialog via ajax but the request is failing in Firefox (34.0.5). Works fine and I get no complaints in Chrome and Safari.
My apache conf contains:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "PUT, GET, POST, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
The jQuery is simply:
$('#dialog').load('example.php', function() { $('#dialog').dialog('open'); });
Firefox responds with the following console error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.example.com/example.php. This can be fixed by moving the resource to the same domain or enabling CORS.
Inspecting the response headers from the ajax request they all seem to be intact and inline with what's declared in apache. Should I be including some other directive or changing the configuration in some way for this to work?
UPDATE: At the root of the issue is the fact that I'd like both example.com and www.example.com to function the same. The site in question always has a tag in the header <base href="www.example.com" /> in both instances as this is part of the default site framework. I've since discovered that removing this link allows the ajax request to work on example.com, even when it still specifically calls a resource from the www subdomain.
Interestingly, many aspects of the request and response headers change when this tag is removed. For anyone who might have a clue about the implications here I'm pasting both the request and response headers below.
Here are the headers with <base> tag removed. In this case the ajax call was successful:
RESPONSE
HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 22:11:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: PHPSESSID=xxx; path=/; HttpOnly
language=en; expires=Tue, 17-Feb-2015 22:11:04 GMT; Max-Age=2592000; path=/; domain=www.example.com
currency=CAD; expires=Tue, 17-Feb-2015 22:11:04 GMT; Max-Age=2592000; path=/; domain=www.example.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public
Pragma: no-cache
Content-Encoding: gzip
access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS
access-control-allow-origin: *
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
Content-Length: 1515
Connection: close
Content-Type: text/html; charset=utf-8
REQUEST
GET /example.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:34.0) Gecko/20100101 Firefox/34.0 FirePHP/0.7.4
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://example.com/
Origin: http://example.com
x-insight: activate
Connection: keep-alive
Cache-Control: max-age=0
And here are the headers with the <base> tag intact. These headers reflect the scenario where the ajax call failed. It's worth noting that the 'Location' field in the response header says 'https' even though this was not happening over an https connection:
RESPONSE
HTTP/1.1 302 Found
Date: Sun, 18 Jan 2015 22:12:26 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: PHPSESSID=xxx; path=/; HttpOnly
language=en; expires=Tue, 17-Feb-2015 22:12:26 GMT; Max-Age=2592000; path=/; domain=www.example.com
currency=CAD; expires=Tue, 17-Feb-2015 22:12:26 GMT; Max-Age=2592000; path=/; domain=www.example.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public
Pragma: no-cache
Status: 302
Location: https://www.example.com/index.php
access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS
access-control-allow-origin: *
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
Content-Length: 0
Connection: close
Content-Type: text/html
REQUEST
OPTIONS /example.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:34.0) Gecko/20100101 Firefox/34.0 FirePHP/0.7.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://example.com
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-requested-with
x-insight: activate
Connection: keep-alive
Cache-Control: max-age=0
According to MDN, you can't use the wildcard for "credentialed requests", so maybe your request falls in that category.
Related
I've been tumbling around for a while on the HTTP set-cookie topic but I'm not making any progress. My situation goes as follows:
My API is hosted on api.mysite.com and I have an admin dashboard on admin.mysite.com. I make a POST request from admin.mysite.com to api.mysite.com/login to verify credentials and it returns the session cookie. The cookie configuration is:
session_set_cookie_params([
'lifetime' => 36000,
'path' => '/',
'domain' => '.mysite.com.co',
'secure' => 1,
'httponly' => 0,
'samesite' => 'None'
]);
The response seems okay:
HTTP/1.1 200 OK
Date: Thu, 04 Nov 2021 16:22:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Strict-Transport-Security: max-age=63072000
Access-Control-Allow-Origin: https://admin.mysite.com
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, accept, authorization, client-security-token, Cache-Control, X-Mashape-Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Expose-Headers: Content-Security-Policy, Location
Access-Control-Max-Age: 1000
Upgrade: h2
Connection: Upgrade, Keep-Alive
Set-Cookie: PHPSESSID=hash; expires=Fri, 05-Nov-2021 02:22:57 GMT; Max-Age=36000; path=/; domain=.mysite.com; secure; SameSite=None
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Access-Control-Allow-Credentials: true
Content-Length: 549
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=UTF-8
But the cookie is not stored. However, it is stored if I make the request from api.mysite.com/testCookies to api.mysite.com/login so it seems to be a domain/site problem (maybe CORS?)
I will appreciate any guidance on this topic.
Same answer as here. The keypoint is the usage of withCredentials property. Not sure though, why do I have to send them even if the cookies are originated on subdomain A and set on subdomain B.
I am working on project based on inserting events in icalendar(iPhone) through CALDAV protocol using PHP language
In localhost the code is working fine.. when adding the same code to server using some functions, received unknown HTTP status..
I tried using dataType:"text/plain" and also I tried contentType, still not fixed.. I removed ajax function.. directly link to file.. still its showing ame error.. sometimes its shows HTTP/1.1 500 Internal Server Error and http/1.1 415 unsupported media type
last request:
PUT /rpc/calendars/mediaj11/calendar~722ea7444446*******/.ics HTTP/1.1
Host: mail.mediajenie.com:2080
Authorization: Basic **********
User-Agent: cURL based CalDAV client
Accept: */*
Content-type: text/calendar; encoding="utf-8"
Depth: 1
Content-Length: 556
last response:
HTTP/1.1 500 Internal Server Error
Date: Fri, 28 Jun 2019 10:10:48 GMT
Server: cPanel
Persistent-Auth: false
Host: mail.mediajenie.com:2080
Cache-Control: no-cache, no-store, must-revalidate, private
Connection: Keep-Alive
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3011
Content-Type: text/html; charset=UTF-8
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Set-Cookie: PHPSESSID=5e8045144d7823ac82049d0c7ad40247; path=/
Set-Cookie: horde_secret_key=5e8045144d7823ac82049d0c7ad40247; path=/; domain=mail.mediajenie.com; HttpOnly
Set-Cookie: default_horde_view=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=mail.mediajenie.com
X-Powered-By: PHP/7.2.7
Currently I wanted to Access the Url Which require A cookie.Without Cookie It redirect to other Url. I try to Set Cookie in request header but only getting the Cookies in response header. Don't know Why it Happen.
this is Response Header:
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type:text/html; charset=UTF-8 Date Mon, 26 Sep 2016 11:52:59 GMT Expires
Thu, 19 Nov 1981 08:52:00 GMT
Location
quotev3.php?sub=compare
Pragma
no-cache
Server
nginx
Set-Cookie
PHPSESSID=e2dnbfjvhi29e7qnkm0jbnekc4; path=/
country=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
X-Firefox-Spdy
h2
Request Header
Accept
*/*
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US,en;q=0.5
Connection
keep-alive
Content-Length
119
Content-Type
application/x-www-form-urlencoded
Host
www.parcelmonkey.co.uk
Origin
null
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
I set a Cookie in header File Like that.
$cookie=$_COOKIE['PHPSESSID'];
ob_start();
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Request-With');
header('Access-Control-Allow-Credentials: true');
header('Cookie:'.$cookie);
Any Solution Will be very Appriciated.Thanks
You need to specify the key of the cookie, not just it's value.
Also, the command is Set-Cookie and not Cookie.
Use the setcookie function, or header like this:
setcookie('PHPSESSID', $cookie);
or
header("Set-Cookie: PHPSESSID={$cookie};");
I'm trying to create a bin using mockbin API. I tried PHP/cUrl, SoapUI and Postman, but I keep getting empty response body:
Request:
POST /bin/create/view HTTP/1.1
Host: mockbin.org
Content-Type: application/json
Accept: application/json
Cache-Control: no-cache
Response:
HTTP/1.1 200 OK
Date: Tue, 12 Jan 2016 13:21:50 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d183c7edefea549cc0bbe219ac11fe7c81452604909; expires=Wed, 11-Jan-17 13:21:49 GMT; path=/; domain=.mockbin.org; HttpOnly
Vary: X-HTTP-Method-Override, Accept, Accept-Encoding
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: host,connection,accept-encoding,x-forwarded-for,cf-ray,x-forwarded-proto,cf-visitor,content-type,accept,user-agent,via,cf-connecting-ip,x-request-id,x-forwarded-port,connect-time,x-request-start,total-route-time,content-length
Access-Control-Allow-Credentials: true
Content-Encoding: gzip
Via: 1.1 vegur
Server: cloudflare-nginx
CF-RAY: 26392aae22092ac1-WAW
Expected response:
HTTP/1.1 200 OK
Location: http://mockbin.org/3c149e20-bc9c-4c68-8614-048e6023a108
Content-Type: application/json; charset=utf-8
Content-Length: 38
"3c149e20-bc9c-4c68-8614-048e6023a108"
Other API methods work correctly, i.e. echo.
It looks like there is an error in the mockbin API docs. I have installed it locally and checked sent request when creating mockbin using html form. It seems the proper request is:
POST /bin/create HTTP/1.1
Host: mockbin.com
Accept: application/json
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
response=%7B%22status%22%3A200%2C%22statusText%22%3A%22OK%22%2C%22httpVersion%22%3A%22HTTP%2F1.1%22%2C%22headers%22%3A%5B%5D%2C%22cookies%22%3A%5B%5D%2C%22content%22%3A%7B%22mimeType%22%3A%22text%2Fplain%22%2C%22text%22%3A%22%22%7D%7D
I'm encountering problems after moving my project management tool to a new server. There is a checkbox on the project list page which when enabled hides all project with the status of complete and writes an entry in the config table of the database (HIDE_COMPLETE_PROJECTS) and then reloads the project list page after the AJAX post is successful. However, after moving the site to another server, changes are made to the hange_hide_completed_status.php. database but the project list page does not reload, it seems that no response is being sent back from the server. Not sure if it makes a difference but my old server had php 5.2,17, the new one has 5.4 installed. Also the version of jquery is very old (1.4.4). I thought I might have a problem with compression, so disabled mod_deflate on the new server, but this didn't help. Interestingly if I call the php file change_hide_completed_status.php directly from the old site, I get non-printing characters and on the new site, firefox won't display the page due to a content encoding error. I think there is a problem with the server configuration/the content type but I can't get any closer.
Here is the code:
function changeStatus(checkboxStatus){
if (checkboxStatus.checked){
hide_status_value =1;
}else{
hide_status_value =0;
}
$.ajax({
type: 'POST',
data: {'hide_status':hide_status_value},
url: 'change_hide_completed_status.php',
cache:false,
success: function(response) {
window.location.reload(true);
}
});
}
<?php
include_once ("/var/www/sdtm/etc/config.php");
$status = $REQUEST_DATA['hide_status'];
$d = new PhPagaDbData;
$fields = array('HIDE_COMPLETE_PROJECTS' => $status);
$key = 'HIDE_COMPLETE_PROJECTS';
$fields = array('cfg_value' => $status);
$r = $d->update('config', $fields, 'cfg_key = ?', $key);
exit;
?>
HTTP response old server:
POST /sdtm/change_hide_completed_status.php HTTP/1.1
Host: mccosh.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://mccosh.de/sdtm/projects.php
Content-Length: 13
Cookie: PHPSESSID=d2b013669f1268af1cf516e60ae20c75
Authorization: Basic c2VjcmV0OnNlY3JldA==
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
hide_status=0
HTTP/1.1 200 OK
Date: Tue, 30 Dec 2014 11:04:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 220
Keep-Alive: timeout=5, max=8
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
HTTP response new server:
http://192.168.148.180:12323/change_hide_completed_status.php
POST /change_hide_completed_status.php HTTP/1.1
Host: 192.168.148.180:12323
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.148.180:12323/projects.php
Content-Length: 13
Cookie: PHPSESSID=4pj4md762cm2n1efqm5kljuse2; shellInABox=942508454:111011010
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
hide_status=0
HTTP/1.1 200 OK
Date: Tue, 30 Dec 2014 10:39:16 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u5
Content-Encoding: gzip
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
So now I am feeling silly: the application uses it's own gzip compression which was screwing everything up. After disabling this, everything was fine.