Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Access-Control-Allow-Origin: * not working?

Tags:

cors

mod-python

Classic "Origin ... is not allowed by Access-Control-Allow-Origin" problem. Two machines serve contents for the same website. When machine A does a $('#main').load('link_to_resource_on_B') via jquery, machine B serves up the content with mod_python, adding Access-Control-Allow-Origin: * header. But for some reason, this still does not work. I tested this on Chrome, Safari, and Internet Explorer. And I tested via command line to check the response header, it seems Access-Control-Allow-Origin: * is successfully in the header from B. See below. What could i be missing?

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /tests/python/test/env HTTP/1.1
host: 10.0.1.10 

HTTP/1.1 200 OK
Date: Mon, 27 Feb 2012 02:05:33 GMT
Server: Apache/2.2.20 (Ubuntu)
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html
like image 465
user1170717 Avatar asked Feb 27 '12 04:02

user1170717

People also ask

How do I fix no Access-Control allow origin?

If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.

Can Access-Control allow origin have wildcard?

For requests without credentials, the literal value " * " can be specified as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials results in an error. Specifies an origin. Only a single origin can be specified.

How do I allow CORS Access-Control allow origin?

Simply add a header to your HttpServletResponse by calling addHeader : response. addHeader("Access-Control-Allow-Origin", "*");

Is Access-Control allow Origin * Insecure?

Access-Control-Allow-Origin: * is totally safe to add to any resource, unless that resource contains private data protected by something other than standard credentials. Standard credentials are cookies, HTTP basic auth, and TLS client certificates.

1 Answers

Enabling Access-Control-Allow-Origin header in the response is not sufficient. Server side implementation should also provide proper handling for pre-flight OPTIONS request. Particularly, the following HTTP headers must be set in the OPTIONS response:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST

Consider replacing wildcard with the list of domains allowed to access the cross-origin server.

Have in mind that Access-Control-Allow-Origin HTTP header must be also set in the following GET & POST responses.

Other HTTP headers such as Access-Control-Allow-Headers might be also needed in OPTIONS response in case non-standard HTTP headers are used.

Great article explaining CORS can be found here

like image 125
Alexander Pranko Avatar answered Sep 28 '22 23:09

Alexander Pranko
Sign in to Comment

Related questions

deploying a WSGI application on mod_python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!