One of the method that I am testing sends a XMLHttpRequest to "http://localhost:4848/qrs/extension/schema?xrfkey=asdfasdfdf". I am getting an error which looks like this -
XMLHttpRequest cannot load http://localhost:4848/qrs/extension/schema?xrfkey=asdfasdfdf. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9875' is therefore not allowed access. The response had HTTP status code 404.
Now I understand that test are served on "localhost:9876", and trying access localhost:4848 is actually violating cross domain policy. I have seen the karma proxy settings and tried -
proxies: {
'/qrs': 'http://localhost:4848/qrs'
}
But doing this actually serves my content from "http://localhost:9876/qrs/extension/schema?xrfkey=asdfasdfdf". But this way my client code will not work. Because client code directly sends XHR request to "http://localhost:4848/qrs/.....", but NOT to "http://localhost:9876/qrs/.....".
Any suggestion how can I solve this?
Also, wouldn't it be better to have an option to set different headers in the config file? At lest we know that we are talking about test here (I mean not in production).
Thanks in advance.
Related
I am confused. I've added headers to a request before and, for some reason, this one does not work as I want it to.
I'm trying to perform a post request to Linkedin following their documentation to get an access_token from an OAuth2 flow. I have the preliminary code to pass to the token endpoint, that is not an issue.
This is the sample request from the docs:
POST /oauth/v2/accessToken HTTP/1.1
Host: www.linkedin.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code={authorization_code_from_step2_response}&redirect_uri=hhttps%3A%2F%2Fdev.example.com%2Fauth%2Flinkedin%2Fcallback&client_id={your_client_id}&client_secret={your_client_secret}
I assume the Host header is to avoid CORS issues, but it just isnt being set. When I perform this request, my console gives me this 404:
Given that I know the Header is not 'unsafe', how do I go about setting it in this specific case?
Any help would be greatly appreciated, thank you!
My bad. Remove the Host header from config object and set it directly in the URL. Works just fine. I now have CORS Allow-Origin issues, but that's not related.
Is it possible to intercept the request going through Charles and immediately return 500 error code without sending this request to the server?
Can't find any information on this. All resources suggest to wait for the response and then change HTTP response code to 500.
I assume you have already tried adding a rewrite rule to make the request to be returned with the 500 status. Have you tried combining this with a map local, to an empty file on your disk, for instance? It may work.
If this doesn't work too, I think I would do a Map Remote to another path on my localhost (for instance: http://localhost:8081/exected-response-500) and make that URL to return the 500 status error (in my case I would use a basic Spring Boot app to achieve this).
I keep receiving the error below when I use Ionic Serve...
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8100' is therefore not allowed access.
It only occurs with "post" request. The "get" requests I have work with no error. I've seen documentation for proxy's but I was not looking to go that route. I'm currently using the CORS Chrome plugin as a workaround right now, but will be shipping to mobile soon (Ionic view) for testing, which I believe I will still run into the CORS issue using Ionic View.
I have control of the API/server - using nginx.
Any suggestions?
Cors will not affect to mobile phone. The issue is in POST method in web view. In Post methods Browser send OPTIONS Request for security Purpose. It should handle in API. I used ASP.NET WEB API When Using localhost I Used Two Methods for post in Same Name but it's not proper way for doing this. You need to handle in Configuration to Igonre this. If you have API without parameters add headers "content-type x-www-form-urlencoded" to you request header. If there are parameters. use another method without parameters using same name.(Method overloadin). But when you are using livehost don't forget to remove redundant methods.
I have a SlingServlet which I am trying to access by making ajax call from html outside of AEM.At first it works but now I am getting following error:
test.html:1 XMLHttpRequest cannot load
http://localhost:4502/bin/DamHandlerr.html?imgURL=http://s3.amazonaws.com/f…iles-aviary-prod-us-east-1/2016-05-24/3dfa830ede7b44c4a88e872b22875c85.png.
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'null' is therefore not allowed access.
Can anyone guide me here?
This type of request is called CORS (Cross Origin Resource Sharing). If you want the AJAX client host/port to call another host/port URL, the server needs to add appropriate headers in response to tell client that call to different host server is allowed.
You would need to add Access-Control-Allow-Origin header in response to allow AJAX client to successfully access the different origin URL.
Sometimes in modern browsers AJAX client, makes additional request to check if resource is safe to access called Pre-flight Requests, in that case additional headers would be needed in response as listed in the link and this link.
My restler 3 api works fine on local test server and works fine on production server if calls from that same server, but if I make the call remotely then it fails.
Using the same rest client with the luracast online examples it works fine with remote call so must be something in my configuration (either my api or my production server).
I found mention of need to send headers and so tried adding these headers to index.php file:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, PATCH, DELETE');
header('Access-Control-Max-Age: 1000');
header('Access-Control-Allow-Headers: *');
But that didn't help. Using RESTClient addon in firefox, I can see that those headers are sent, and the browser will show the data both locally and remotely, whether I use those header commands or not.
Here's a sample call:
https://api.masterpiecesolutions.org/v1/artists/?key=A4oxMOYEUSF9lwyeFuleug==
My index.php for that call uses this, with 2nd param to map to root level
$r->addAPIClass('Artists', '');
Don't know if that is relevant.
Also, the production server is Amazon EC2, so perhaps has something to do with security policy?
Or, maybe it's some other header issue? In google chrome, using Advanced Rest Client extension, it gives status of 403 Forbidden and Content-Type is text/plain (whether using local or remote server) so it won't work at all, unlike the firefox addon.
I also see use of $_SERVER['HTTP_ORIGIN'] in Restler.php, and this doesn't appear to be supported everywhere yet?
* is not a valid value for the Access-Control-Allow-Headers response header. You need to list out every non-simple request header. For example:
header('Access-Control-Allow-Headers: Content-Type');
Also consider putting a single origin value or just * for the Access-Control-Allow-Origin header. I just visited your sample url and there are multiple values in that header. Although this should work according to the CORS spec, it is not very widely adopted yet.
Lastly I noticed that the server was setting Access-Control-Allow-Credentials: true. If you set this to true, then you also need to do two other things:
The value of the Access-Control-Allow-Origin header must be the value of the Origin (e.g. http://localhost, it can not be *).
You will need to set xhr.withCredentials = true; in your JavaScript client code.
If you are just testing, you should try to get things working without setting the Access-Control-Allow-Credentials header. It will make things easier to debug.
The problem, for me at least, was using SSL and the restclient class didn't accommodate that.
So I added (to my RestClient.class.php from phpclasses.org)
curl_setopt($this->curl, CURLOPT_SSL_VERIFYPEER, false); // for SSL
and now it works.
Also required was setting
public static $crossOriginResourceSharing = true;
in Defaults.php for Restler 3.