I have a form on my homepage that is set up to submit via XHR POST to the URL https://mydomain.com/send_sms.
When I visit the non-SSL version of the homepage in Internet Explorer (http://mydomain.com) & submit the form, nothing happens. In Webkit console, I receive a helpful error stating Origin http://mydomain.com is not allowed by Access-Control-Allow-Origin.
In Firefox 13 however, the request clearly submits & a returns a 200 OK
, though the response body is blank. Furthermore, the server-side action (sending an SMS) is in fact triggered by the Firefox request but not the other browsers.
I always thought the same-origin policy denied even the sending of the request, but perhaps it's the browser receiving data from the response that's disallowed?
Anyone know if this is a purposeful difference in implementation (or possibly even an oversight) by Mozilla?
The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
The same-origin policy restricts which network messages one origin can send to another. For example, the same-origin policy allows inter-origin HTTP requests with GET and POST methods but denies inter-origin PUT and DELETE requests.
Hence the name same-origin policy. The same-origin policy is active by default and most browsers provide good error messages when actions cannot be executed because of same-origin policy issues. For instance, the following script defines an illegal cross-origin HTTP request.
In computing, the same-origin policy (sometimes abbreviated as SOP) is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
First of all, http://example.com
and https://example.com
are different origins. For XHR Level 1 this would mean, cross-origin requests are not allowed.
But for the current XHR (Level 2), which supports cross-origin requests when CORS is supported (by both server and client!), a cross-origin request can either be
a simple cross-orgin request, if
GET
, HEAD
, or POST
, andAccept
, Accept-Language
, Content-Language
, or Content-Type
, andor
a cross-origin request that requires a preflight, otherwise.
For simple cross-origin requests, the browser is allowed to send the request. But when the response is received, it needs to check whether the server allows to share the resource. This is where the Access-Control-Allow-Origin
header field and other Access-Control-*
response header fields are checked. And only if this check is passed, the browser allows the script to read the response.
For other cross-origin requests, a preflight is required to negotiate with the server what information is allowed to be sent in the actual request. This preflight request is basically a OPTIONS
request telling the server what the actual request will contain (request method and header fields). Then the server can decide whether it allows such request or not.
In your case, the observed behavior can have multiple reasons. I guess your send_sms script just doesn’t support the server side part for CORS.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With