Content Security Violation in Shopify - ajax

I am using Shopify and I'm making an ajax get request to a different server. I have just implemented it so I'm testing it on the console. The request is getting through and I'm getting the response I want but I am also getting the following message:
[Report Only] Refused to connect to 'https://myurl.com/ApiClientes/ciudades' because it violates the >following Content Security Policy directive: "connect-src 'self' *.shopifycloud.com .shopifysvc.com >.amazon.com *.paypal.com *.facebook.com sessions.bugsnag.com analytics.tiktok.com bat.bing.com >www.google-analytics.com ct.pinterest.com stats.g.doubleclick.net".
I would like to get rid of it. Don't know what it is or what it means. I could really use some help. Thanks in advance :)

To handle this issue, don't make direct request to third-party server instead create one url at 'https://yourdomain.com/anypath/handlereqeust?r={requestURL}' to handle all the requests from Shopify store
Then make request to Shopify app as mentioned in this link: https://shopify.dev/apps/online-store/app-proxies

Related

Forbidden 403 Access URL API in Laravel

Good afternoon, let me ask
I created a service API using Laravel, but one of the API urls when I sent the response parameter was 403 or Forbidden. even though before it was fine, it worked smoothly. And I raised it to the server instead it became Forbide. Anyone know why? thank you for answering
If it is ok on local and getting a forbidden error on the server, the problem might be caused by the webserver application. please take a look at this link.

Response for preflight has invalid HTTP status code 404

This is the responce i am getting when trying to upload a file from my client(PHP),My server is on WebApi which is hosted in one server.In my webapi i have allowed all CORS related things still i am getting this error.
Have you checked this tutorial?
Maybe when you say
In my webapi i have allowed all CORS related things
you didn't do that correctly, or maybe you enabled too many options at the same time.
It's hard to give you more details without access to your actual configuration.
There are also many posts on the same subject here on SO, have you checked them?

Cross Domain access to USPS Address validation API

I am trying to hit USPS address validation API by AJAX call and I am getting 'Cross-Origin Request Blocked' error.
However when I am trying to access the same address though URL, I am getting the results.
Has this error something to do with approval thing?
The id I am using for this has been approved and I am able to get the result by the API through URL.
I want to access it though scripting. Please help.
Any help would be appreciated.
Thanks in advance.
I think the way you might want to do this is to have the Ajax requests go to your web server -- the same HTTP server where the page came from. And then your server-side program (in PHP, or Python or whatever you're using) relays the request to the USPS server.
Making the request browser-side, from Ajax directly to the USPS server, is just the kind of suspicious activity (called Cross-Site Scripting) that browsers are learning to block.
CORS could theoretically be one way to unblock a Cross-Origin Request, but in that scheme it would be the USPS API server that ultimately grants that permission for pages from your domain. Tech detail: by inserting an Access-Control-Allow-Origin header in response to a request with an Origin header in the Ajax back-and-forth.

Venmo API call from client side. Access-Control-Allow-Origin?

I'm building a small web app with Ember.js and Firebase so as of now I don't have a framework. I'm trying to use Venmo's OAuth and API to get usernames, emails, and friends. I got OAuth to work and I get a client-side access token to use in an API call, but whenever I try and send a GET to https://api.venmo.com/v1/me?access_token=<access_token> using AJAX or CORS I get an error saying XMLHttpRequest cannot load https://api.venmo.com/v1/me?access_token=<access_token>. No 'Access-Control-Allow-Origin' header is present on the requested resource. Is there a way to do this with javascript
I'm an API engineer over # Venmo, and we're looking to open up CORS support very soon, in the next couple months hopefully. Feel free to email developer#venmo.com and bug us if you need to :P

Error sending Ajax Request to Django site from non-Django site

I am currently using Django 1.2. I am trying to send an ajax request to my Django site from our newly established drupal installation. I am able to send the request no problem from one view to another on my DJANGO site but I am unable to send a request from my local machine. I continue to get an error, I assume there is a CSRF verification issue. Does anyone know how I may resolve this issue.
-Greg
Not so recommended but quickest:
You can easily disable csrf protection for certain django views using csrf_exempt decorator. You can find more info in django docs
this might be also more justified if you run your app in 'trusted environment'.
Please mind that this causes some security problems. If you decide to use csrf_exempt you can think of some additional verifications (eg. you can allow requests on some view for some limited set of IPs or something else).

Resources