I am doing Ajax call from cross domain.I would like to allow this call only to the specific domains. What is the best way to get remote origin from HttpServletRequest. Will request.getHeader("Origin") be available all the time? If remote domain matches I will set
origin = getFromRequest...
if (origin=="example.com"{
response.addHeader("Access-Controll-Allow-Origin",origin);
}
Here is what I found from the link
https://www.w3.org/TR/cors/. I am seeing this as cross domain should have
Origin header all the time
Also found this link, it is very helpull, it is telling how IE 11 manage cors request Internet Explorer 11 does not add the Origin header on a CORS request?
Related
Let's assume my site is example.com. On my server I have script which must works only for white listed site. I have setuped this code which allow XHR requests only from my site.
header('Access-Control-Allow-Origin: https://www.example.com')
Now I'm wondering can someone change origin parameter and send fake AJAX requests from another sites ?
So is origin parameter trusted or there is a ways to "override" origin parameter example from script or browser configuration or from some third part service ?
CORS policies are enforced on the client side; i.e. by the browser.
You can trust that they will work to prevent CSRF for your regular visitors, but there's nothing preventing someone from manually sending requests to you as they wish.
Scenario: Want to access content of xyz.example.com from mysubdomain.example.com (using Fetch or XMLHttpRequest).
But CORS is configured in such a way that when ORIGIN(in request header) is "example.com" then only xyz.example.com supplies ACCESS-CONTROL-ALLOW-ORIGIN (with value example.com) and thus able to read its content. But by-default when I am making request from mysubdomain.example.com then origin is set to mysubdomain.example.com and thus not able to read contents of xyz.example.com.
Also all communication is on http only(since port difference also matters).
I am trying to use document.domain="example.com" to change my origin to example.com but it is not changing. How to access resource from other sub-domain in this scenario ?
(I am not having access to change server side code on xyz.example.com)
I am using Postal PIN Code API for getting Post Office(s) details search by Postal PIN Code in angular 5 application. Below is the url of the external API :
http://postalpincode.in/api/pincode/{**PINCODE}**
I am issuing a GET request from the application but it is giving me below error :
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access
Although this request is working perfectly fine from browser and postman. I understand that we need to configure our server with cross-domain policies for accepting cross-domain request but this is an external API and I don't have control over it. How can I resolve this issue?
Thanks in Advance !!
Best: CORS header (requires server changes) CORS (Cross-Origin Resource Sharing) is a way for the server to say “I will accept your request, even though you came from a different origin.” This requires cooperation from the server – so if you can’t modify the server (e.g. if you’re using an external API), this approach won’t work.
Modify the server to add the header Access-Control-Allow-Origin: * to enable cross-origin requests from anywhere (or specify a domain instead of *). This should solve your problem.
2nd choice: Proxy Server If you can’t modify the server, you can run your own proxy. And this proxy can return the Access-Control-Allow-Origin header if it’s not at the Same Origin as your page.
Instead of sending API requests to some remote server, you’ll make requests to your proxy, which will forward them to the remote server.
Here are a few proxy options.
Ref: https://daveceddia.com/access-control-allow-origin-cors-errors-in-angular/
I've a server named, foo.com where my application is running and accessing a service available on a different domain bar.foo.com.
With the simple XHR request to bar.foo.com/getUsers, I'm getting an error saying, No 'Access-Control-Allow-Origin' header is present. I do not want to use JSONP as a fallback to cross-domain issue.
Is there any easy fix I can do on server level to enable cross subdomain requests while XHRing?
It appears that I need to set allow-cross-domain headers on server when a response is returned as suggested by #Blender above.
Or I can use xdomain library which uses PostMessage API to enable cors. With this I can even read iframe's content served by different domain.
Searched everywhere and didn't find straight answer.
Does CORS make cross-(sub)domain localStorage sharing possible or not?
And how about on IE8?
No, you cannot directly access another origin's storage, regardless of CORS settings.
You could however have a remote AJAX service that could store your settings on the remote domain.
e.g. Say your main website www.maindomain.com returns header Access-Control-Allow-Origin: https://www.subsite.com for its AJAX requests.
Then your other website www.subsite.com can make an AJAX request to e.g. https://www.maindomain.com/storage to retrieve or to save details cross-origin. The local storage for www.maindomain.com can be returned as a JSON object in the response for www.subsite.com to use.