I'm writing a packed app for Firefox OS. I want to communicate with an external server via https. If I execute the app as normal website it is running but in Firefox OS or the simulator I receive
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://mozilla.goip.de/Webradio%20V2/php/download_streams.php. This can be fixed by moving the resource to the same domain or enabling CORS.
without "systemXHR" : {} and "type": "privileged" in the manifest and { mozSystem: true } in req = new XMLHttpRequest({ mozSystem: true });. Using this my server still only receives an request only using http. With https the server receives no request and the status of the request is 0. The server already allows access by header('Access-Control-Allow-Origin: *'); (PHP).
Is there any way to use https for the connection?
Related
I am using SocketIO to create a web chat application.
When I work locally everything is fine, but when I release it to our live domain I get the following error:
Access to XMLHttpRequest at
'https://example.com:2096/socket.io/?EIO=3&transport=polling&t=1586507948354-0'
from origin 'https://example.com' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
Here is how I connect from the client to the server:
var socket = io(document.domain + ':' + supPort, {secure: true});
I have researched and I was advised to put this into the virtual host config file of the domain in Apache2:
Header always set Access-Control-Allow-Origin: "*"
However the error is still the same.
Why am I receiving this error? How can I fix it?
web api is hosted on secure server and i am accessing it through a path locally it is working fine. but after hosting an api
I am Getting this error while running an application
XMLHttpRequest cannot load https://xxxxx.xxxxapp.net/xxx_API/token. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8100' is therefore not allowed access. The response had HTTP status code 400.
Well, your error give you an info about what to do. You are doing request with CORS (Cross-Origin Resource Sharing). It says that your request does not have Access-Control-Allow-Origin request header specified. So you should provide it. More about CORS
try to put this in your ionic.project file
"proxies": [
{
"path": "/api",
"proxyUrl": "https://xxxxx.xxxxapp.net/xxx_API/token"
}
]
}
and change the proxuUrl with your api path
Am using WSO2 API Manager 1.9.1 and have defined a service that can be access over both http and https. When I try to "test" it through the API Console under https://localhost:9443/store/apis/..., the API call fails as the REST AJAX call is send over http instead of https.
Chrome complains that the page was loaded over HTTPS but requested an insecure XMLHttpRequest. The request is blocked as it should be served over HTTPS.
Firefox likewise blocks the request with a "mixed active content" error.
Safari fails with a more obscure message: "Failed to load resource: The network connection was lost.".
A workaround is to set the API scheme to https only but this is not particularly desirable. Is there a fix or other way to cope with this issue?
This issue occurs when you're trying to access a HTTPS URL from the web browser
but the end point is actually HTTP. This is not the default behavior of swagger console in API manager 1.9.
Usually when you are accessing from the web browser using HTTPS, API console
(swagger console) calls an end point of HTTPS by default.
Try to expose the service as both HTTP and HTTPS(Manage Tab) when you are publishing an API.
Thanks
Ojith
I have a server on heroku, using https certificate. Now I am trying to build an IOS/Android app using Ionic framework and make connection to that heroku server.
The error when I do it is
"ERR CONNECTION REFUSED" when I am trying to do https://example.com/auth
And when I change it to http instead, the error is
XMLHttpRequest cannot load http://example.com/auth. The request was redirected to 'https://www.example.com/auth', which is disallowed for cross-origin requests that require preflight.
Thanks for any help.
Am working in Mobile App develoment using HTML5 + Phonegap. Currently am working a mobile App using XMLRPC and its working fine. (Android and iOS)
I need to work the same application as a website in browsers. (using HTML5).
But when am trying to Run my application on website i am getting this error :
XMLHttpRequest cannot load 'Client' URL'. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost <http://localhost/>' is therefore not allowed access.
When am search experts says that use JSONP. But using same XMLRPC method can i work it ?
For example ;
For a Login purposes am using ;
$.xmlrpc({
url: 'http://clienturl/xmlrpc/common',
methodName: 'login',
params: [Database_name','user_name','Password'],
success: function(response, status, jqXHR) {
alert('success'); },
error: OnError
});
Its working fine as a Mobile Application.
But gets Access-Control-Allow-Origin cross domain issue when i am trying to run as a Website.
How can i fix this ?
By default the SOP (same origin policy) allows cross-origin requests, but it prevents receiving the responses of those requests. The Access-Control-Allow-Origin in your error message is a CORS (cross-origin resource sharing) header. It tells the browser that you allow reading the responses of a domain (your XMLRPC server's domain) by sending requests from another domain (your XMLRPC client's domain). So you have to send back CORS allow headers from your server if you want to call it with AJAX.
note: CORS won't work in old browsers.
Possible solutions:
If you call http://clienturl/xmlrpc/common from http://localhost then the
response.header('Access-Control-Allow-Origin', "*")
is one not so secure solution according to this: Origin http://localhost is not allowed by Access-Control-Allow-Origin
But you can always add another hostname (e.g. http://client.xml.rpc) for your client, for example by windows you can modify the hosts file and add a binding using the IIS server.
I don't recommend this solution, because it is a security risk with the allow credentials header.
Another more secure options is to make a list of allowed hosts, check from which host you got the actual request, and send back the proper header:
if (allowedHosts.contains(request.host))
if (request.host== "http://localhost")
response.header('Access-Control-Allow-Origin', "null");
else
response.header('Access-Control-Allow-Origin', request.host);
else
response.header('Access-Control-Allow-Origin', server.host);
This is the proper solution with multiple hosts, because if you allow credentials for *, then everybody will be able to read and write the session of a logged in user.
By http://localhost and file:/// IRIs you have to use the null origin. I am unsure about other protocols, I guess in the current browsers you have to use null origin by them as well.