I have my site added to the white list, all worked fine until yesterday, when I started to get XMLHttpRequest cannot load https://www.yammer.com/platform/login_status.json?client_id=[xxx]&_=1408773433021. No 'Access-Control-Allow-Origin' header is present on the requested resource.
As I remember there was such bug already couple of moths ago, can anybody fix it on yammer side?
Related
each time i try to save and train on Luis.ai I just get an error dialog and
Access to XMLHttpRequest at 'https://puzzleqna.cognitiveservices.azure.com/qnamaker/v4.0/knowledgebases/.....
from origin 'https://www.qnamaker.ai'
has been blocked by CORS policy:
Method PATCH is not allowed by Access-Control-Allow-Methods in preflight response.
6.fe97106b3db0546c50…olyfills.chunk.js:2
PATCH https://puzzleqna.cognitiveservices.azure.com/qnamaker/v4.0/knowledgebases/xxx... net::ERR_FAILED
have had this problem over a couple of days so I imagine it's something related to my account but not sure.
I'm new to CORS configuration and trying to figure this out, but my set up looks like it is right according to the documentation. I'm hoping you can help me see what I've missed. My code is trying to upload (PUT) a file directly to google storage using a signed url.
Access to XMLHttpRequest at
'https://storage.googleapis.com/herdboss-dev.appspot.com/uploads/152/152-owner-152-61.jpg?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Go...'
from origin 'https://herdboss-dev.appspot.com' has been blocked by
CORS policy: No 'Access-Control-Allow-Origin' header is present on the
requested resource.
I've set the CORS policy on my Google Storage Bucket (added line breaks for readability):
% gsutil cors get gs://herdboss-dev.appspot.com
[{
"maxAgeSeconds": 3600,
"method": ["GET", "HEAD", "PUT"],
"origin": ["https://herdboss-dev.appspot.com"],
"responseHeader": ["X-Requested-With", "Access-Control-Allow-Origin", "Content-Type"]
}]
According to my chrome inspector, the pre-flight request happens and returns the proper methods and headers (as far as I can tell). Also, as a side note, I noticed the PUT shows up in my Chrome inspector before the OPTIONS, but the timestamps show the OPTIONS is sent first.
When the OPTIONS call happens, Google Storage correctly responds and says it can support my request methods GET, HEAD, PUT and origin https://herdboss-dev.appspot.com:
THE PUT REQUEST
However, when the PUT happens, Google Storage does not respond with the proper Access-Control-Allow-Origin header:
What am I missing or doing wrong? I'm able to use these signed urls to PUT files directly into my Google Storage bucket when I make a direct http call, so I know the signed urls work. I'm just running into this CORS problem. It's a new thing for me, I haven't dealt with it before, but it seems like I'm setting all of the things I should be setting.
**EDIT 1:
I tried setting my allowed origins to * just as a test and I was still rejected with the same No 'Access-Control-Allow-Origin' header is present on the requested resource. The Chrome inspector showed the OPTIONS response did send back my * for allowed origins, but it still didn't work and still gave the same error.
Figured it out.
Short version: Chrome's error message about CORS was a red herring. Google Storage was rejecting the request which was being interpreted as a CORS violation.
Long version:
I noticed in Chrome's inspector that the response to my PUT request had a content length of 862 characters, but Chrome wasn't showing me any response. I opened Firefox and tried the upload process again and it failed with the same error messages about CORS and Access-Control-Allow-Origin. However, in Firefox's network inspector, I was able to see the raw response body!
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message>
<StringToSign>.....</StringToSign>
<CanonicalRequest>PUT
/herdboss-dev.appspot.com/uploads/152/152-owner-152-72.png
X-Goog-Algorithm=GOOG4-RSA-SHA256&....;X-Goog-SignedHeaders=content-type%3Bhost
content-type:image/png
host:storage.googleapis.com
content-type;host
UNSIGNED-PAYLOAD
</CanonicalRequest>
</Error>
My theory is that when Chrome and Firefox do the pre-flight CORS checking and then issue the PUT request and receive a 403 response code that it is responding as if it is a CORS problem even though the problem was not CORS related and the preflight response DID actually have the Access-Control-Allow-Origin header.
From here, I was able to quickly diagnose the problem by checking my url signing code against the request. I noticed that when created the signed upload url that I was requiring a Content-type of application/octet-stream but when the javascript in the browser was doing the PUT request that it was setting the Content-type to image/png. I updated my javascript to force the Content-type to match application/octet-stream and then the request succeeded.
I am having a web-app (serverless) that I am using for a long time. The idea is that the app gets contacts from my Google Account, and then I can do some actions by using this data.
Unfortunately, last days I started to recieve CORS errors... I didn't pay attention, but today I tried to fix it. And I realized that all other Google APIs like maps, locations, OAuth work properly.
The only problematic one is the Google Contacts API. I wonder, it's possible to continue using this API on the client side? I didn't touch the code and google-cloud settings. This is a very strange behavior...
Failed to load https://www.google.com/m8/feeds/contacts/default/full?v=3.0&alt=json&access_token=......&updated-min=2018-08-09T22%3A00%3A21.000Z&max-results=500:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://.....' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
The issue is fixed on Google's side (was a bug).
I'm following the instructions from here https://developers.braintreepayments.com/start/hello-client/javascript/v3
When I try braintree.dropin.create I have the following error:
https://api.sandbox.braintreegateway.com/merchants/parameters
Response to preflight request doesn't pass access control check: The
'Access-Control-Allow-Origin' header has a value 'null' that is not
equal to the supplied origin. Origin 'null' is therefore not allowed
access.
I'm doing the call from JavaScript v3, from localhost.
The Braintree site doesn't have any information on this issue. Google search doesn't help either.
UPD. Found solution. The problem was I tried the example from the local static html file. As soon as I run a server website (Express) and copied the code there everything worked as expected.
I am trying to make cross-domain requests with Safari on Windows. My Safari version is 5.1.2.
This is a classical question. I read in many places that Chrome and Safari allows cross domain requests as long as Server responds with the followin header in the response
Access-Control-Allow-Origin: *
I have read this post.
How to allow cross-domain requests in Safari?
and many others on the stackoverflow site too.
However, none of them answers my question.
I am having problems with Chrome AND Safari doing cross-domain AJAX requests even though I am sending the necessary header back from the server.
I finally ran Chrome with "--disable-web-security". Then it worked.
My questions:
1) What do I do with Safari? Do I use a similar command line argument?
2) More importantly, can I someone please tell me whether cross-domain functionality is allowed in Chrome and Safari by default as long as server responds with the header or do I have to make sure that
a) server responds with a header
AND
b) browser is started with a proper argument.
I found the problem. Reading more about CORS helped html5rocks.com/en/tutorials/cors. I realized that my requests were triggering preflight requests (OPTIONS) and the server was not set up to handle these requests properly. The reason it was causing preflight requests was because I was using JQuery and it was adding a custom header into my requests. I modified my code to prevent addition of this extra header and my requests no longer needed preflight requests. Now I do not have to disable web security and it works fine.