Sometimes when I submit ajax requests I get this error
XMLHttpRequest cannot load http://www.mysite.com/go/submit. Origin http://mysite.com is not allowed by Access-Control-Allow-Origin.
Here are solutions I thought about:
* Add the allow origin rule everywhere?
* Write .htaccess to always redirect to full url
* Use this method http://james.padolsey.com/javascript/cross-domain-requests-with-jquery/
How should I fix this problem?
The same origin policy means you cannot analyze data (json, html, image, etc.) that are coming from another "origin" (domain, port) than yours.
Note that
The term "origin" is defined using the domain name, application layer
protocol, and (in most browsers) port number of the HTML document
running the script
A solution is to set, on the server serving the other data, CORS headers explicitly allowing the access :
Access-Control-Allow-Origin: *
So you must have control of the server serving the data you embed as soon as you're not just displaying them.
A somewhat indirect solution is to let the browser think there is only one origin, by putting on your server a proxy. On apache you don't need .htaccess but mod_proxy. If you want to install such a proxy, you may be interested by this SO question (in fact you'd probably be more interested by the answer which helped me set such a proxy on one of my servers).
If your only problem is people typing mysite.com instead of www.mysite.com and you have only one server, you may simply use .htaccess to rewrite the URL :
RewriteEngine On
RewriteCond %{HTTP_HOST} ^mysite\.com$ [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [L,R=301]
Related
I would like to capture the HTTP-request for every incoming connection on port 80 / 443 (whether it is a valid URL on my server or not) and parse the info. One use-case that is relevant is if I wanted to reject every request from a particular USER_AGENT or IP_ADDRESS (or redirect them), rather than serving them a page. So, if a request came in from 22.22.22.22, I would like to parse their URI and redirect them to a different place than someone coming from 11.11.11.11. I want to do this regardless of what URL they are attempting to access (i.e. http://www.foo.bar/goodpage.php or http://www.foo.bar/nonexistentpage.php). Is there something similar to NSAPI or ISAPI either on the PHP engine level or the Apache level where I can inject this code?
I realize this may have performance implications, but I am willing to sacrifice some performance for function here.
Obviously, I will need this to service multiple clients concurrently as they connect.
assuming this is done for 1 domain only (and not for all sites on the server):
You can add this in your .htaccess file
(required is, mod_rewrite is enabled)
RewriteCond %{REMOTE_ADDR} !^11\.11\.11\.11$
RewriteRule - /for_11-11-11-11.php [L]
RewriteCond %{REMOTE_ADDR} !^22\.22\.22\.22$
RewriteRule - /for_22-22-22-22.php [L]
I need three things in the htaccess file:
Load a php file, if specific keywords are in the url
Pass the last word (after slash) of url to php as a parameter
Keep the origin URL in browser adress bar
e.g.
https://example.com/anyString/anyKeyword1/anyKeyword2/anyString/volvo
Or more specific examples with the keywords 'repaircars' and 'offering':
https://example.com/testsystem/repaircars/offering/volvo
https://example.com/repaircars/offering/volvo
So, whenever the keywords 'repaircars' and 'offering' are in the url, the htaccess file should load a file named
'show.php'
For this, I wrote the in the htaccess file:
RewriteRule ^repaircars/[^/]*(offering)[^/]*/ https://example.com/testsystem/show.php [L,R=301]
This is working fine. It's loading the show.php, if the keywords 'repaircars' and 'offering' are in the url.
But:
How can the file show.php receive the word after the last slash in url (here the last word is: volvo) as parameter?
How to keep the origin url in browser address bar and anyway processing the file show.php ?
Is this possible at all?
I would suggest a completely different approach:
RewriteEngine on
RewriteCond %{REQUEST_URI} repaircars
RewriteCond %{REQUEST_URI} offering
RewriteRule /(\w+)$ /show.php?brand=$1 [END]
In case you receive an internal server error (http status 500) using the rule above then chances are that you operate a very old version of the apache http server. You will see a definite hint to an unsupported [END] flag in your http servers error log file in that case. You can either try to upgrade or use the older [L] flag, it probably will work the same in this situation, though that depends a bit on your setup.
This implementation will work likewise in the http servers host configuration or inside a dynamic configuration file (".htaccess" file). Obviously the rewriting module needs to be loaded inside the http server and enabled in the http host. In case you use a dynamic configuration file you need to take care that it's interpretation is enabled at all in the host configuration and that it is located in the host's DOCUMENT_ROOT folder.
And a general remark: you should always prefer to place such rules in the http servers host configuration instead of using dynamic configuration files (".htaccess"). Those dynamic configuration files add complexity, are often a cause of unexpected behavior, hard to debug and they really slow down the http server. They are only provided as a last option for situations where you do not have access to the real http servers host configuration (read: really cheap service providers) or for applications insisting on writing their own rules (which is an obvious security nightmare).
I have hosted an ecommerce website with the OpenCart script at www.medicosales.in
I am facing some errors.
The website when opened by typing medicosales.in is NOT automatically resolving to https:// where I have seen in SSL secured sites that just by typing yourdomain.com the URL automatically takes https://
It's showing this message
How to solve it?
You should set up your .htaccess file if you're using Apache, or similar if you're using another webserver to rewrite your URLs to include https:// if they do not already. This will force the user's browser to access via the correct protocol.
For Apache place the following code into the top of your .htaccess file in your document root for the site ensuring mod_rewrite is enabled.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Whenever you load a resource externally e.g. via something like <img src="http://example.com/myimage.jpg" ... you must ensure that the protocol is HTTPS also otherwise your browser will give you that message since the resource was not loaded securely.
The way to fix this is ensure that all externally linked resources have their URLs prefixed with // and not http://. This way the browser will use the current protocol to fetch the resource.
Thanks #davidgiga1993 for pointing out // rather than using https://
It is not automatic. You need to send a 302/301 redirect back to the user pointing to the https URL.
consider i have created a website and have a web directory like this...
1.index.php
2.ajax.php
In index.php coding.. i use
<html>
....
<base href="http://website.com">
....
....
<script> <!-- using jquery -->
....
$.ajax({
url:'ajax.php',
type:'POST',
data:{ 'variable': value },
success: function(res){
....
....
}
});
....
</script>
when i run above code it works fine... but when i add "www" in base element href attribute, like this...
<base href="http://www.website.com">
its not working why?, it show error like this in javascript..
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.com/ajax.php. This can be fixed by moving the resource to the same domain or enabling CORS.
now i have question?
what is the real problem?
what should i do to make both base element code should run?
what is CORS enabling?
if i enable CORS, anyone from other website can able to access my site?
I would appreciate if some one could assist me, thanks in advance...
what is the difference between http://www.website.com and http://website.com?
They have different hostnames and are (technically) different websites. They could host different content, but probably don't.
what is the real problem?
Different hostnames are different origins. Browsers do not let JavaScript running in a page on one origin read content from another origin unless permission is given with CORS.
what should i do to make both base element code should run?
Pick one of the two hostnames to be canonical. Configure the server so the non-canonical one issues a 301 HTTP redirect to the canonical one.
While you are at it, stop using <base>. It is far more pain than it is worth, and almost everything good about it can be achieved by using URLs that are relative to the server root (i.e. URLs that begin with a / character).
what is CORS enabling?
Configuring the server to send HTTP headers that give the browser permission to share your site's data with other sites.
See MDN for more.
if i enable CORS, anyone from other website can able to access my site?
You can specify global access or limit it to specific origins.
Well basically, "www." is a subdomain which isn't technically the same as the root directory. You could have an entirely different website running on the subdomain "www.", although most hosting providers have their DNS automatically setup to redirect the subdomain "www." to the root folder (or the other way around). You can do this yourself using a .htaccess file with the following content:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
i'm trying to allow only my domain name to view my website...
i have a dedicated ip and Anyone can basically set your domain to my ip, It creates duplicate content of my website.
Try this code, it will rewrite all domain names used to access your site to the correct one:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.domain.com$ [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R=301]
This means that everything that do not match the www.domain.com will be redirected/rewrited to www.domain.com.
Am I understanding you correctly that you are worried that other people will point their domain to your IP, thereby lowering your SEO ratings? First of all: wow. Secondly: configure the web server with virtual hosts to respond to a particular domain name only, not to all requests regardless of HTTP Host header. How to do this exactly depends on what web server you're running exactly and whether you can configure virtual hosts on it.
As far as i know the host will only respond to the correct domainnames configured.
You could also make sure with htaccess that all incoming request get rewrited to the correct domain.
As in this example .domain.com is rewited to www.domain.com and will never be available the other way arround.
http://www.tech-recipes.com/rx/296/rewrite-domaincom-to-wwwdomaincom-using-htaccess-in-apache/