I keep getting the following CORS error when trying to consume the JIRA ReST API:
Fetch API cannot load
https://jira.our-domain-name.com/jira/rest/api/2/search?jql=project=tcc%20and%20cf[10809]~8423362.
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'https://application-url.our-domain-name.com' is therefore not allowed
access. If an opaque response serves your needs, set the request's
mode to 'no-cors' to fetch the resource with CORS disabled.
However, this search URL works 100% when I paste it directly into the browser, or running it through Postman, or using CURL from command line.
My app is calling the API, using the javascript fetch API. I set the following headers when making the GET request:
headers: {
"content-type": "application/json",
"authorization": "Basic <<encrypted>>"
}
I have ensured that the requesting host has been whitelised in JIRA admin - I have tested the host using the test feature on the whitelist page.
When I change the whitelist from wildcard to Domain Name, I suddenly get this:
Fetch API cannot load
https://jira.our-domain-name.com/jira/rest/api/2/search?jql=project=tcc%20and%20cf[10809]~8423362.
Request header field authorization is not allowed by
Access-Control-Allow-Headers in preflight response.
Any ideas?
You have 2 options.
The easiest way is to proxy your request through your backend (if that's possible) since the CORS restrictions are enforced on JavaScript running within the browser.
The other way would be to reconfigure the Tomcat server that Jira is running on to support sending a CORS header. This can have other security implications if not done right.
Related
When executing a query through javascript I get a CORS error:
Access to fetch at 'http://access.mainnet.nodes.onflow.org:9000/v1/scripts?block_height=sealed' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
This error happens when querying from testnet and mainnet.
Also happens from localhost or from a site running in Vercel.
The rpcs I tried:
https://access-testnet.onflow.org/
http://access.devnet.nodes.onflow.org:9000/
http://flow-testnet.g.alchemy.com:443/
(also tried their mainnet counterparts)
Solved the problem using these rpcs:
https://rest-testnet.onflow.org/
https://rest-mainnet.onflow.org/
I'm building an extension and am having trouble with the workItemIcons api endpoint only on azure devops server, it works fine for azure devops services. The end point I'm hitting is http://...../DefaultCollection/_apis/wit/workItemIcons. I'm getting the following error when running the extension locally, but get the same kind of error even on the published version.
Access to fetch at 'http://...../DefaultCollection/_apis/wit/workItemIcons' from origin 'http://localhost:5500' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Extension scopes I think are fine
"vso.graph",
"vso.identity",
"vso.project",
"vso.profile",
"vso.work_full",
"vso.analytics",
"vso.work"
],```
We're using the `azure-devops-extension-api` package.
You can try the following ways:
Add the Access-Control-Allow-Origin header to your response.
For example:
res.setHeader('Access-Control-Allow-Origin', '*');
Bypass the CORS secure mechanism via setting mode as no-cors.
For example:
fetch('http://...../DefaultCollection/_apis/wit/workItemIcons', { mode: 'no-cors' });
To view more details, you can reference to the articles below:
CORS: Cross-Origin Resource Sharing
No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
I'm having some issues trying to download a resource from our S3 CDN.
We appear to have CORS set up properly on S3.
The S3 CORS troubleshooting guide states that you need to post the "Origin" header, otherwise it will ignore all of the CORS headers:
If the header is missing, Amazon S3 doesn't treat the request as a
cross-origin request, and doesn't send CORS response headers in the
response.
I have tested using curl to ensure that the relevant CORS headers are being returned, and I can see that these are only returned if the "Origin" header is sent.
eg: if I run the following:
curl -v -H "Origin: http://localhost" https://cdn.myurl.com/mybucket/mystuff.json
I get the following headers returned (as well as a screed of other information):
access-control-allow-origin: *
access-control-allow-methods: GET, POST, HEAD
However, when I DON'T pass the Origin header, those return headers are missing:
curl -v https://cdn.myurl.com/mybucket/mystuff.json
I'm trying to pull the data down using a UnityWebRequest get request. When I run my application via WebGL I can see an exception when I call request.SendWebRequest()
Failed to load https://cdn.myurl.com/mybucket/mystuff.json:
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:17936' is therefore not allowed
access.
I can only assume then that the UnityWebRequest isn't sending the "Origin" header.
I can't explicitly set the header, because if I do I get the error:
UnityWebRequest request = UnityWebRequest.Get(uri);
request.SetRequestHeader("Origin", "http://localhost");
InvalidOperationException: Cannot override system-specified headers
I'm quite stuck at this point.
UPDATE:
#sideshowbarker mentioned that the Origin header is automatically added by the browser, so that was perhaps a red herring for me.
They also suggested that I need to look at the request headers in my browser tools. This is what I see when looking at the request from the WebGL application for this particular object in my browser:
There are a couple of points of interest to me here.
In the Request headers, it has a note that Provisional headers are shown. I assume that means that the browser tools are making their best guess at what headers are being sent?
The request is successful - I get a 200 (success) response code. The content-length header (42) is the correct size that I expect. The game code is just failing based on the missing CORS headers.
The image shows the 200 response code with the note "(from disk cache)". I have cleared my cache and re-run this, and the first hit (my code does a retry) does correctly not load from cache, but still fails the CORS test.
The only other spanner in the mix here that I can think of is that we are using CloudFlare in front of the S3 bucket. I believe that this shouldn't cause issues because it is supposed to forward the CORS headers, but I will do a test bypassing CloudFlare.
You have to add the CORS policy to the S3 Bucket where you are hosting your game.
AWS Documentaion. That will allow you to then make https calls and Rest API calls etc... It is a bucket setting not a game setting.
Just add the "HEAD" request to the cors config of Amazon
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"POST",
"HEAD"
],
I am getting a 401 and some cross domain issues when trying to access IBM Weather REST API from either client (browser) or server.
If I generate a URL and try and access it directly from a browser (eg paste it in it works fine and the JSON weather report is returned).
When I try and run the Javascript HTTP request from either the browser or server it seems like it's only allowed to run from an ibm.com domain.
Failed to load https://twcservice.au-syd.mybluemix.net/api/weather/v1/geocode/-33.00/151.00/forecast/daily/7day.json?units=m&language=en-US: The 'Access-Control-Allow-Origin' header contains multiple values 'https://*.ibm.com, https://*.ibmcloud.com', but only one is allowed. Origin 'http://localhost:3000' is therefore not allowed access.
I am using the free service on Bluemix. Is this restricted to only run via a Bluemix server? or are there some options I can pass when I create the service on Bluemix
Note, when I make the request I am using the credentials supplied via the Bluemix console. Again, this works via the browser URL bar, but not via code.
Update/More info: if I hit past the URL above into the browser (with creds) it works as above, then if hit it via the web app in the same session it works.
Hmmm. So the IBM server is sending the following response header:
Access-Control-Allow-Origin: https://*.ibm.com, https://*.ibmcloud.com
That's an invalid response from IBM. Unfortunately, I think your only option is to complain to IBM, and convince them to
Return a valid Access-Control-Allow-Origin response header (with only one value)
Allow people outside of IBM to access it
Without that, I fear you're out of luck.
I am trying to call REST APIs from development environment(localhost:4200) using Angular 2 (version 4.0.0)
getting the below error message:
"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost:8000/auth. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)."
Here I am providing a code sample for reference:
var headers = new Headers();
headers.append('Content-Type', 'application/x-www-form-urlencoded;charset=UTF-8');
return this.http.post(this.loginUrl, 'POST_Parameters', {
headers: headers
}).map(res => {
console.log(res);
});
Can someone please help me to find out solution for this issue?
CORS must be enabled by backend. Depending on backend framework, usually you must send specific header that backend can recognize. But until you explicitly enable CORS support on backend, sending header is useless
on a project of mine i just went to my server (apache2 on linux 16.04 ) and i just added the "Header set Access-Control-Allow-Origin "*"" on the virtual server config file
As per Browser policy CORS is not allowed. If you are using POSTMAN then this error won't not occur.
CORS error should only remove by server side. Hence you should set header in your backend code.
If you are using express as your backend ...
app.use(function(req,res){
res.header('Access-Control-Allow-Origin', '*');});
You are in local server. You need to run api and angular app on same server.
When you upload project on same production server I hope This error will not shown.