I'm having a problem where by the cross origin requests from my Angular JS application work fine in Chrome but not in Firefox.
The error received in firefox is:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://api.domain.eu/join/joinstatus. (Reason:
CORS header 'Access-Control-Allow-Origin' does not match
'https://www.domain.eu, https://www.domain.eu').
I can make requests successfully until I add an Authorization header to the request.
My server (ASP.Net Web API running on IIS) has the following headers set up:
Access-Control-Allow-Origin: https://www.domain.eu
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Credentials: true
Firefox successfully pre-flights the request with an OPTIONS request. Looking through this I can see the sent Origin header is contained in the returned Access-Control-Allow-Origin header.
In fact, for some reason the returned Access-Control-Allow-Origin header has my domain name twice (despite specifying it once in config) e.g.
Access-Control-Allow-Origin: https://www.domain.eu, https://www.domain.eu
That aside what is the difference between Firefox and Chrome in this regard?
What else do I need to do so that this will work in Firefox?
UPDATE
I have noticed that if I set my headers as follows...
`Access-Control-Allow-Origin: https://www.domain.eu'
... then the pre-flight OPTIONS request works fine. The Access-Control-Allow-Origin header is the same in both the request and the response. However the actual GET request then fails with the error above.
If I modify my headers as follows:
Access-Control-Allow-Origin: https://www.domain.eu, https://www.domain.eu
... (which is what Firefox alluded to in the error), then the actual pre-flight OPTIONS request fails as this time Firefox just expects a single value of https://www.domain.eu in the header.
Try:
Access-Control-Allow-Origin: https://www.domain.eu, https://domain.eu
Access-Control-Allow-Origin: https://*.domain.eu, http://*.domain.eu
Access-Control-Allow-Origin: domain.eu
Access-Control-Allow-Origin: *.domain.eu
EDIT:
Try:
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Request-Method: GET, POST, OPTIONS, PUT, DELETE
Docs:
Access-Control-Allow-Origin
A returned resource may have one Access-Control-Allow-Origin header, with the following syntax:
Access-Control-Allow-Origin: <origin> | *
The origin parameter specifies a URI that may access the resource. The browser must enforce this. For requests without credentials, the server may specify * as a wildcard, thereby allowing any origin to access the resource.
For example, to allow http://mozilla.com to access the resource, you can specify:
Access-Control-Allow-Origin: http://mozilla.com
You must only specify a single URI or *
This problem was caused by essentially having the wrong combination of NuGet packages in my solution. Owin and Web API CORS had both been used causing the headers to get mixed up.
I resolved this by going back to basics and working out what packages I needed and the problem went away.
you need to enable CORS in your web API project.
Check this out!
Related
According to this answers enable cors in .htaccess I would like to allow cross-origin requests from React application to the local server with Laravel application. So I added these lines at the beginning of my public/.htaccess. But it does not work.
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
The error says:
Access to XMLHttpRequest at
'http://localhost:8000/api/page/dynamic/111170/1' from origin
'http://localhost:3000' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
Can somebody tell me please what am I doing wrong?
In your server you need to enable requests from the local host:3000 origin. By default most server frameworks will block requests that aren’t from its own ip. This is called a cross origin request policy and its to help secure your application.
You’ll need to change your servers CORS policy to include localhost:3000 - you’ll need to google how to do this for the specific server framework you’ve chosen.
To reiterate, this is not a problem with your React code but with your server.
I know many people have had issues with CORS. I have searched a lot and I have found many answers but I still have errors. The things I tried solved some errors but caused other, all CORS errors...
In my app, I use two API's: an API for the authentication and the mysql requests, the other one is openweathermap. For the latter, I found a solution adding https://cors-anywhere.herokuapp.com/ in front of the API url (http://api.openweathermap.org/ ...). It works well. But I still a errors when I use my own API.
I tried using the same method but my axios call gets a 404.
https://cors-anywhere.herokuapp.com/my_api.test/api/login 404 (Invalid host)
For the login, it works but all other API calls fail. I found that I could add headers in my API to help me:
header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Headers: X-API-KEY, Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method, Authorization");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");
Adding this allows other API calls to succeed but the login fails... Is there a way to make all my API calls to be successful ?
Error message:
Access to XMLHttpRequest at 'http://my_api.test/api/login' from origin
'http://localhost:3000' has been blocked by CORS policy: Response to preflight
request doesn't pass access control check: The 'Access-Control-Allow-Origin'
header contains multiple values '*, *', but only one is allowed.
Laravel is both the problem and the solution. There is a file called cors.php in the config folder to deal with this. By default only the path 'api/' is managed. Adding the headers solved the problem for the other paths but caused an error for the path 'api/'.
The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
By simply replacing api/* by /* in config/cors.php, I can access all paths of my API without having CORS errors.
I have deployed my front-end angular app with keycloak enabled. Also have a java rest based back-end for communication. When i run the app keycloak shows the login page, Then after i login it does not shows anything.
XMLHttpRequest cannot load http://test.ssdiary.com:2222/auth/realms/app1/protocol/openid-connect/token. Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '*, http://test.ssdiary.com', but only one is allowed. Origin 'http://test.ssdiary.com' is therefore not allowed access.
GET http://test.ssdiary.com:2222/auth/realms/app1/protocol/openid-connect/login…ame.html/init?client_id=srms-frontend&origin=http%3A%2F%2Ftest.ssdiary.com 403 (Forbidden)strong text
Header from network tab
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:accept, authorization, content-type, x-requested-with
Access-Control-Allow-Methods:GET, POST, OPTIONS, PUT
Access-Control-Allow-Origin:*
Access-Control-Max-Age:1
Connection:keep-alive
Content-Length:0
Date:Fri, 09 Jun 2017 04:57:38 GMT
Server:WildFly/10
X-Powered-By:Undertow/1
Please read the specifications of the Access-Control-Allow-Origin header here.
For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.
You are setting Access-Control-Allow-Credentials:true in your request. Thus, multiple origins are not allowed to access the returned content. Try to send a single origin as the value of Access-Control-Allow-Origin from your server.
I have an application in AngularJS (ionic framework), and a server in Symfony.
In local everything works, but now I do my tests with the server online. Unfortunately everything does not happen like local, I have the following error:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http: // localhost' is therefore not allowed access.
I was wondering how to add the "Access-Control-Allow-Origin" CORS header that is missing.
Use this bundle: NelmioCorsBundle
The CORS-Bundle is used to define the CORS rules. This bundle allows you to define which domains will have access to your REST API. And it will make your job easier too :)
I don't think your issue came from Angular, it looks like it comes from your API server.
You may need some headers server side:
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
XMLHttpRequest cannot load http://hfdvcbapp01.vm.itg.corp.us.shldcorp.com:8180/cnb/cnb/report/summary?Company=IT. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:64033' is therefore not allowed access.
I am getting this error when i am trying to load data from json which situated at the server.How can i resolve this.
Access-Control-Allow-Origin header should be set in the response,
if it is not from the same origin of the URL it was sent from, the header should be set from the respone - meaning - the server responding to the request in youre case - http://hfdvcbapp01.vm.itg.corp.us.shldcorp.com:8180,
if the server is under youre control just handle it, if its an outside service you should request this.
Your api is not returning header
Access-Control-Allow-Origin: http://yourdomain.com
to allow specific domain
or
Access-Control-Allow-Origin: *
to allow all
PS. Also make sure that headers are actually there. Pay attention that CORS actually send 2 requests 1 will be OPTIONS, second will be actual request so if you return headers only on GET or POST it wont work. To check it in chrome presss f12, go to network and do you requests make sure that header is there
Read more