Is there a way to add http://somesite:8080 in order to use google's oauth on localhost?
I see that for example http://localhost:8080 is allowed.
I get this error:
Invalid Origin: This app has a publishing status of "In production". URI must use https:// as the scheme.
Related
When I try to configure authentication of a registered web .Net Core app in Azure Active Directory by updating the redirect URLs I get a network error:
"Configuring your application registration
Network error: There is an issue establishing a connection to the service. Please refresh the browser to try again"
If I look into console I see CORS error:
"Access to XMLHttpRequest at 'https://graph.microsoft.com/v1.0/myorganization/applications/09bfef71-7a2b-4560-b2a2-947a4a16de0f' from origin 'https://portal.azure.com' has been blocked by CORS policy: Method PATCH is not allowed by Access-Control-Allow-Methods in preflight response."
See also attached image:
Check if you have any CORS extension installed on your browser. That was the case for me. I had this extention installed but once disabled I was able to save the changes
Getting a redirect issue on Safari browser only when trying to load an AppEngine site with Identity-aware proxy enabled. It shows requests being redirected to https://accounts.google.com/o/oauth2/v2/auth but then failing.
Origin is not allowed by Access-Control-Allow-Origin
If I load the url manually in a new tab in Safari I get: AppEngine error code 9.
I'm thinking it's probably to do with Safari's stricter cookie rules, somehow the IAP session cookie is being ignored because it's from another domain?
Safari seems to have stricter CORS rules, which may require additional rules. Especially if using AppEngine IAP.
If using <img>, <video>, <link> and <script> tags, and loading content from other domains using CORS. You need the crossorigin="use-credentials" attribute to allow the cookie sharing:
<script src="https://example.com/script.js" crossorigin="use-credentials"></script>
https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes
Note: this is less secure.
Angular has a build command which will add the attributes automatically for you:
ng build --prod --crossOrigin=use-credentials
https://angular.io/cli/build#options
I'm doing application with spring security and Spring MVC in back end and Angular in front end.
My problem is that I do the logged in correctly, but the problem in logged out I implemented correctly in my localhost: http://localhost:8080 worked without problem. When I change it to https:// I get this error:
Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ''. This request has been blocked; the content must be served over HTTPS.
I want to know how to correct that? And how to know which url blocked by https in the browser for example chrome?
This post which gives a solution to your problem: http://www.learningthegoodstuff.com/2015/08/mixed-http-error-with-spring-security.html
All the details are explained there, basically all you have to do is add this two lines to my application.properties file:
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
I fixed by removing a forward slash from the end of a URL fixing everything.this is help me : GET request throws error after app implemented SSL: Mixed Content: This request has been blocked; the content must be served over HTTPS"
This happens when the server is using http (non secured). You can fix it by enforcing https for all resources in the backend. Check here for more details.
In #Jabir Minjibir's answer there is very good link to describe the error. As sum up, when your application works with httpS scheme you can't make visits to unsecure links which is http.
I got this error and fixed it like I wrote below:
Mixed Content: The page at 'https://stackblitz.com/' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint 'http://172.19.0.62:920/'.
This request has been blocked; the content must be served over HTTPS.
You can mask unsecure links with simple-https-proxy npm package. In my experience I was coding an angular sample on httpS://stackblitz.com and I was trying to connect to an Elasticsearch server which doesn't have a domain name. I needed to make it working with ssl but I couldn't modify it's scheme. Thus I installed a proxy which can work secure (httpS).
I installed the npm package:
npm i -g simple-https-proxy#latest
Then I created certificate:
simple-https-proxy --makeCerts=true
Then I ran it
simple-https-proxy --target=http://172.19.0.62:9200 --port=9201 --rewriteBodyUrls=false
In another example:
I'm getting this error in browser:
Mixed Content: The page at 'https://{my-site}' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint 'http://{my-api}'. This request
has been blocked; the content must be served over HTTPS.
I know I need to allow https some how. The application uses Gunicorn to run the application on custom Google App Engine Flexible Environment. It also uses flask. Here is my app.yaml:
runtime: custom
env: flex
service: flex-module
entrypoint: gunicorn -b :$PORT main:app
Is it possible to change some setting in the Extensible Service Proxy to allow https in App Engine? Or do I need to get an ssl certificate and key and add the following to my app.yaml:
gunicorn -w3 --certfile=server.crt --keyfile=server.key test:app
Also i'm not sure if i need to add this to a gunicorn.conf.py as in this documentation:
forwarded_allow_ips = '*'
secure_scheme_headers = {'X-APPENGINE-HTTPS': 'on'}
Thanks
As stated in the documentation, Google does not issue SSL certificates for double-wildcard domains that are hosted at appspot.com:
Note: Google recommends using the HTTPS protocol to send requests to your app. Google does not issue SSL certificates for double-wildcard domains that are hosted at appspot.com. Therefore, HTTPS requests must use the string "-dot-" as the URL notation, instead of "." for separating subdomains. You can use the simple "." URL notation with your own custom domains and other HTTP addresses. For more information, see the HTTP and HTTPS examples in the following sections.
So to allow API requests over https and avoid the mixed content browser error, instead of http://version-one.my-app.appspot.com I needed to send request to: https://version-one-dot-my-app.appspot.com
To make HTTPS calls, enable the ssl library for your app by adding the following configuration to the app.yaml file:
libraries:
name: ssl
version: latest
https://google-auth.readthedocs.io/en/latest/user-guide.html
As stated in the January 2017 Endpoints release notes, I tried to update my openapi.yaml file to stop the Extensible Service Proxy (ESP) from blocking cross-origin requests by adding to x-google-endpoints:
swagger: "2.0"
info:
description: "Market scan using technical indicators."
title: "Talib Test"
version: "1.0.0"
host: "YOUR-PROJECT-ID.appspot.com"
x-google-endpoints:
- name: "YOUR-PROJECT-ID.appspot.com"
allowCors: "true"
basePath: "/"
consumes:
- "application/json"
produces:
- "application/json"
schemes:
- "http"
...
I continue to get an error in the browser when trying to make http calls from my angular application. The error is in both developer mode and after I deploy my angular application:
XMLHttpRequest cannot load
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
When i look at Google Cloud logging I see that requestMethod:"OPTIONS" and status:200. The API is a POST method so I'm guessing it's the ESP blocking the request. Also, I have allowed CORS in my python application using FLASK-CORS so it should be working.
My application has two services that are both on Google App Engine. The first is Standard Envrionment. The second, which I am having issues with is Flexible Environment. I am using a dispatch.yaml file and separate openapi.yaml files if that's relevant. Also, the API works on hurl it and postman.
Any help would be awesome!
Most likely your backend application did not handle CORS OPTIONS correctly.
If "allowCors" is true, Endpoint proxy will pass the request to your backend application. Proxy will not add anything to the request. If "allowCors" is false, proxy will return 404.