I have a subdomain "x.domain.com" which then calls files from the static file subdomain "y.domain.com".
In my config file I have:
require_once("/var/_BACKEND$/functions/cors.php");
This includes the file fine. The contents of "cors.php" is the code contained in the answer for this question:
CORS with php headers (I have tried searching this problem!!)
In the bottom of the config file I also have the code:
if(!function_exists('cors')) die("err"); else cors();
Now for some reason, despite the code being exactly as it is above, and the file including fine, I am still receiving the following error from the Browser:
XMLHttpRequest cannot load
http://y.domain.com/scripts/ajax.php. No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://x.domain.com' is therefore not allowed
access.
Using a header checker also brings the following results:
The 302 is intentional.
This all appears as it should
You can't do that.
Access-Control-Allow-Origin must be present on the actual resource that access is being allowed to, not just a redirect. (Otherwise, you could bypass security restrictions by sending this header on a redirect to anything you wanted!)
Did you tried to use that by .htaccess ?
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Enable a2enmod headers
or modify your php script and replace * (asterisk) with x-requested-with
Related
I am pulling posts from one WordPress website to another. Both websites are on same server. For pulling posts i am using jQuery.ajax with Rest API. But i am getting error message in console
Access to XMLHttpRequest at 'https://www.website1.com/wp-json/wp/v2/posts/?tags=4,198&per_page=24&offset=1&_embed' from origin 'https://website2.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
For this i have added following header
Header set Access-Control-Allow-Origin "*"
In .htaccess of both websites. Also i have used this
crossDomain: true,
In ajax. But still having error. Any help. Please
Just add below lines to .htaccess file and we should be good.
<ifmodule mod_headers.c="">
SetEnvIf Origin "^(.*\.domain\.com)$" ORIGIN_SUB_DOMAIN=$1
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
Header set Access-Control-Allow-Methods: "*"
Header set Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
</ifmodule>
I have a webpage uses angular js to load some image file from S3 through the CloudFront CDN.
In Chrome I will open an Incognito window as well as the console. they shows some error message
Failed to load
http://cloudfront.net/image.png No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'yyy' is therefore not allowed access.
but no issues in the firebox all images are load. but i face only issues in the chrome
I have checked, changed, and re-checked the settings on S3 and Cloudfront. In S3 my CORS configuration looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedOrigin>http://*</AllowedOrigin>
<AllowedOrigin>https://*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>Authorization</AllowedHeader>
</CORSRule>
</CORSConfiguration>
And also try my .htaccess file like
<ifModule mod_headers.c>
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
</IfModule>
but error shows in the chrome browsers, please any body help to fix the problem
Add a Cloudfront "Edge-To-Origin" Origin header to force CORS response headers on every request (xhr or non-xhr):
Origin ---> http://sub.domain.com
I am running an angularjs application in my local system apache(http://localhost:8080). Here am trying to hit an API with post method. My API(http://php.mpect.com/demo/login.php) is hosted in godaddy server domain. Its a PHP file. I included
header('Access-Control-Allow-Origin: *');
in my php file, but still am getting
XMLHttpRequest cannot load http://php.mpect.com/demo/login.php.
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
I am new to php and godaddy server. How can I solve this? Is there any way to include headers in godaddy domain? sorry for my english. Can anyone please provide me solution code to acheive this CORS problem. Thanks in advance.
Add the configuration into your .htaccess file and you will be fine. This will ensure that the important CORS headers will set on any request. Ensure you have enabled mod_headers on apache2.
# Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
And not understand how fix this problem, web server - apache...
for example:
link.com - all good
sub.link.com - not good, in console error
Font from origin 'link.com' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'sub.link.com' is therefore not allowed access.
i tried add in .htaccess
<IfModule mod_headers.c>
<FilesMatch "\.(svg|ttf|otf|eot|woff|woff2|css)$">
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials true
</FilesMatch>
</IfModule>
after this remove and add this
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
and without .htaccess, I tried add in index.php
header("Access-Control-Allow-Origin: *");
BUT NOT WORKING! I think this problem due to because CSS fots files use like
...
src:url('icons/fonts/journal-icons.eot');
src:url('icons/fonts/journal-icons.eot?#iefix') format('embedded-opentype'),
...
but I do not understand what I need to do to fix this problem??? (It looked similar questions but did not help)
There's a very clear error message in the Chrome javascript console:
Font from origin 'http://www.mss.partneris.net' has been blocked from loading
by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin
'http://www.test.mss.partneris.net' is therefore not allowed access.
Add:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
to your apache configuration for http://www.mss.partneris.net domain, restart apache, and go to http://www.mss.partneris.net/catalog/view/theme/journal2/css/icons/fonts/journal-icons.woff in your browser or using curl, and see that it has Access-Control-Allow-Origin: * response header. When it does, try again in the browser, and hopefully it will all work well.
I tried since 5 days to configure correctly CORS to solve the error :
So I tried to add :
header('Access-Control-Allow-Origin: *');
On my webservice (on the same server but different domain name), I got this error :
Request header field Authorization is not allowed by Access-Control-Allow-Headers
Then I tried to add :
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
To a .htaccess file that I created.
But still doesn't work.
Any idea ?
Thanks a lot in advance.
You must include an Access-Control-Allow-Headers header in your response with the proper acceptable header names, just as the error message suggests. It sounds like you do not know how to properly handle CORS requests. Please read this document on MDN, which explains how to handle CORS requests. This will answer all of your questions.