I tried since 5 days to configure correctly CORS to solve the error :
So I tried to add :
header('Access-Control-Allow-Origin: *');
On my webservice (on the same server but different domain name), I got this error :
Request header field Authorization is not allowed by Access-Control-Allow-Headers
Then I tried to add :
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
To a .htaccess file that I created.
But still doesn't work.
Any idea ?
Thanks a lot in advance.
You must include an Access-Control-Allow-Headers header in your response with the proper acceptable header names, just as the error message suggests. It sounds like you do not know how to properly handle CORS requests. Please read this document on MDN, which explains how to handle CORS requests. This will answer all of your questions.
Related
I'm working on an angular application which should connect to an Apache backend.
The apache REST API is working propperly and I can use it over Postman, but I haven't managed to consume it from my angular application due to CORS problems which are driving me crazy. I have checked everything, but the error persists and I can move forward.
Let me explain the environment and situation:
The app is sending a POST Request to the backend. I have tried sending and not sending the header 'Access-Control-Allow-Origin':'*', but it fails in both cases.
The apache headers are already enabled.
The apache2.conf file doesn't include any configuration of the headers regarding this problem.
The .htaccess file of my site is empty.
The apache config site for the site of the API is:
<Directory "/home/javierd/test">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
Require all granted
Header unset Access-Control-Allow-Origin env=AccessControlAllowOrigin
Header unset Access-Control-Allow-Methods env=AccessControlAllowOrigin
Header unset Access-Control-Allow-Headers env=AccessControlAllowOrigin
Header unset Access-Control-Expose-Headers env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
</Directory>
Alias /test "/home/javierd/test/html/www"
As far as i know, this should work, but everytime I try to access the API I get
Access to XMLHttpRequest at 'http://localhost/test/rest' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
And I don't really know why there are mutiple * values.
I have also tried with simpler configurations, using just Header set Access-Control-Allow-Origin "*" (without the always). With this config I get a similar CORS error:
Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
However, as I mentioned previously, the API is working with postman.
I have also tried using a proxy with the angular cli, but I endup getting 404 errors although the logs show that the proxy is working. My proxy config file is the following one:
{
"/test": {
"target": "http://localhost/test",
"secure": false,
"changeOrigin": true,
"logLevel": "debug"
}
}
but the logs show
[HPM] POST /test/rest/login -> http://localhost/test
so I don't really know if the petitions are being redirected or not.
I know there are lots of questions regarding CORS and Apache/Angular, and I have read lots of them, but I can't figure out a solution.
Could somebody help me?
Thanks a lot!
it's restrict you web browser localhost you can disable web security if you are using chrome
Win + R
then run this cmd
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
I have set up an API using php, so that other web sites can query a DB on one of my server. When I want to make a test with a client page, I get this:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.example.net/my.php?fx=221&ix=603. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
.... .......
Reason: CORS header 'Access-Control-Allow-Origin' missing
I understand, according to this document, that I need to specify who is allowed to use the API.
Adding something like this:
Access-Control-Allow-Origin: https://amazing.site
But what is less clear is where I should add this.
Is it at the apache server level? Or is it in my php page on the server side? Any hint would be appreciated.
In Apache/conf/httpd.conf add code of below:
<IfModule headers_module>
Header set Access-Control-Allow-Origin "https://amazing.site"
</IfModule>
Make sure you have to uncomment of "LoadModule headers_module modules/mod_headers.so" in the same file.
You also can do it in every php file top:
header("Access-Control-Allow-Origin: https://amazing.site");
I am running an angularjs application in my local system apache(http://localhost:8080). Here am trying to hit an API with post method. My API(http://php.mpect.com/demo/login.php) is hosted in godaddy server domain. Its a PHP file. I included
header('Access-Control-Allow-Origin: *');
in my php file, but still am getting
XMLHttpRequest cannot load http://php.mpect.com/demo/login.php.
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
I am new to php and godaddy server. How can I solve this? Is there any way to include headers in godaddy domain? sorry for my english. Can anyone please provide me solution code to acheive this CORS problem. Thanks in advance.
Add the configuration into your .htaccess file and you will be fine. This will ensure that the important CORS headers will set on any request. Ensure you have enabled mod_headers on apache2.
# Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
I am testing rest api in SugarCRM. In order to use crm rest api, I added :
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
to .htaccess file and rebuilt .htaccess File. However, it did not give me solution. I am still getting error message with the following content:
XMLHttpRequest cannot load http://test.crm.loc/custom/clients/base/api/get_account.php. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
How can I fix it?
I found the answer. I put following code to the top of rest api code file:
header('Access-Control-Allow-Origin: *');
It worked for me.
I have a subdomain "x.domain.com" which then calls files from the static file subdomain "y.domain.com".
In my config file I have:
require_once("/var/_BACKEND$/functions/cors.php");
This includes the file fine. The contents of "cors.php" is the code contained in the answer for this question:
CORS with php headers (I have tried searching this problem!!)
In the bottom of the config file I also have the code:
if(!function_exists('cors')) die("err"); else cors();
Now for some reason, despite the code being exactly as it is above, and the file including fine, I am still receiving the following error from the Browser:
XMLHttpRequest cannot load
http://y.domain.com/scripts/ajax.php. No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://x.domain.com' is therefore not allowed
access.
Using a header checker also brings the following results:
The 302 is intentional.
This all appears as it should
You can't do that.
Access-Control-Allow-Origin must be present on the actual resource that access is being allowed to, not just a redirect. (Otherwise, you could bypass security restrictions by sending this header on a redirect to anything you wanted!)
Did you tried to use that by .htaccess ?
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Enable a2enmod headers
or modify your php script and replace * (asterisk) with x-requested-with