I have an endpoint which generates serversent events and I used to read it in my client. But recently they enforced the same-origin policy and I get the error No 'Access-Control-Allow-Origin' header is present on the requested resource.
Is there a way to read these server sent events in a php proxy and echo it in my own event service stream?
Can you change the endpoint? To make it generate the required header?
header('Access-Control-Allow-Origin: *');
Alternatively a "php proxy" could work, you can use CURL to load the remote data, then echo it back out adding the header as above.
Be aware that allowing all origins isn't a good idea, and you should instead send a list of trusted domains.
Related
I am a newbie with the react project deployment. The API server is the Laravel project and it's hosted on the Siteground.
I am sure the APIs works by Postman. And the react project runs on localhost:3000. In order to fetch some data with API, I have added the proxy: "http://api server domain" into the package.json.
It always says "Not allowed method" when I am going to fetch the data.
So I have hosted the API server on the localhost. In this case, I have added the proxy: "http://localhost:8000 into the package.json, it works perfectly.
How can I solve this issue?
It's seems like you're having a CORS (Cross-Origin Resource Sharing) problem.
According to MDN, CORS is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.
An example of a cross-origin request: the front-end JavaScript code served from https://domain-a.com uses XMLHttpRequest to make a request for https://domain-b.com/data.json.
For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from, unless the response from other origins includes the right CORS headers.
More technical details HERE.
Solving:
You need to enable CORS on your API service.
If you don't have access to configure Apache, you can still send the header from a PHP script. It's a case of adding the following to your PHP scripts:
<?php header("Access-Control-Allow-Origin: *");
The following link shows how to: How to enable CORS on PHP
Since you're using Laravel, using a middleware may be a good way to solve your CORS situation.
CORS Middleware for Laravel should help you.
hey im new to ionic 3 i prepared a form of contact for my application where the server (php) has to send an email after the filling of the form by the user .
in the server i use the function mail to send email by the server it works find and it sends email even with the appearence of error of No 'Access-Control-Allow-Origin' header
I already added the two headers in my php scripts
header("Access-Control-Allow-Origin: *");
header('Content-Type: text/html; charset=utf-8');
This is not a problem of your ionic app. The server you try to access via api call doens't support CORS. Hopefully this article helps you to solve your problem.
https://blog.ionicframework.com/handling-cors-issues-in-ionic/
There is a tutorial or solution to solve your problem.
Here is the important part for you
Dealing with CORS in Ionic
CORS is only an issue when we are running or testing our app when running ionic serve or ionic run -l.
There are two ways to solve the issue: The first, and easier, solution
is to just allow all origins from your API endpoint. However, we can’t
always control the endpoint we are accessing. What we need, then, is a
request that does not specify an origin.
We can do this by using a proxy server. Let’s look how the Ionic CLI
provides an easily configurable proxy server.
I have a php websocket based application where the websocket is the core. Would it be a good idea to use sec-websocket-protocol for authentication.
This is my plan.
User logins using there credentials and I use php sessions to track the user between pages.
Now when user initiates the application a random token is generated and stored in Database which is then passed in the header when websocket is initiated. The header looks kind of
Cache-Control:no-cache
Connection:Upgrade
Host:tonywilk.no-ip.org:12352
Origin:http://********.com:port
Pragma:no-cache
Sec-WebSocket-Key:DMF3ByMTLq+cp7AyMN0qUA==
Sec-WebSocket-Protocol:**Token** **<-- browser sends token
Sec-WebSocket-Version:13
Upgrade:websocket
I use the token to verify the user and send server respons with handshake
Connection:Upgrade
Sec-WebSocket-Accept:L6wqtsHk6dzD+kd9NCYT6Wt7OCU=
Sec-WebSocket-Protocol: **Token** <-- server replies ok
Upgrade:WebSocket
Is this a good idea or is there a better way to do it
You should use Authorization header for authentication.
Using Sec-WebSocket-Protocol header for authentication is bad idea, because it changes the header meaning:
The |Sec-WebSocket-Protocol| header field is used in the WebSocket
opening handshake. It is sent from the client to the server and back
from the server to the client to confirm the subprotocol of the
connection. This enables scripts to both select a subprotocol and be
sure that the server agreed to serve that subprotocol. (c) RFC 6455 – The WebSocket Protocol
I'm using RatchetPHP for my websocket application.
I can't pass headers when opening a websocket connection, so I pass an OAuth2 token to the websocket uri. It looks like this:
new Websocket('ws://localhost:8482?access_token=XXX')
If you can easily retrieve query parameters in your websocket application, this is something you could try.
This is the trick I'm using in Sandstone: https://eole-io.github.io/sandstone/authentication.html
I'm trying to build a new API using Lumen (even though I'm having second thoughts about that), and am trying to use barryvdh's CORS package. I think I have it setup properly, so decided to do a simple request in angular to the default route setup.
With my current, manually setup API, when I make an API request, I always see 2 requests: the first being an OPTIONS request, the second being the POST/GET/DELETE/whatever. When I hit the Lumen api (on a different subdomain), I only see one request, being the POST or GET I'm testing. Both return me the expected results, but I still get the No 'Access-Control-Allow-Origin' header is present on the requested resource., presumably because there was no OPTIONS request?
Do I not understand CORS well enough? Is this expected? Do I not understand Lumen? I have no idea where I've gone wrong with this one.
You will need to intercept the OPTIONS request in Lumen and make sure it returns the cors headers. See https://gist.github.com/danharper/06d2386f0b826b669552 Also you can try and use Postman (a nice app for testing apis) to inspect if the headers were send correctly. https://www.getpostman.com/.The headers you are looking to add are
'Access-Control-Allow-Origin' '*';
'Access-Control-Allow-Headers' 'Content-Type';
Note the headers can also be added to your web server instead of your app but that's not always a good idea.
So, I'm trying to use PHP Http sockets to execute a rest action on a distant server.
My goal is to have my PHP script automatically execute various actions that I usually perform when browsing "manually".
The distant website is an e-commerce oriented portal (no name provided) and connection is through HTTPS (I think that may be the problem here).
[There is no hacking here, just automation!]
I manage to execute several actions with my script like logging in to the website using my username and password, adding items to my cart etc.
Using Firebug I found that the action triggered for confirming order is /createOrder, but when I try to validate my order using my script with my session cookies I get a 401 Unauthorized error (detailed below)
So I tried several times to access this action with CURL using my usual username and password but I never manage to get access.
How is it possible that I could access it by browsing manually but not with my script? Is there a way to make it work?
Response headers include:
Server: Apache
X-Cnection: close
Content-Length: 1518
WWW-Authenticate: Basic realm="WebLogic Server"
X-Powered-By: Servlet/2.5 JSP/2.1t
"The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11."
Problem solved.
It was a cookie issue.
I was not sending the token cookie correctly.