Menu
I have a website with REST Api and now I´m creating a browser extension, which will collect data from some pages and send them back to the REST Api. Because I want my extension to be compatible with both firefox and chrome, and to be easily maintainable, I´m injecting the actual code into page as a script tag, which is then executed like normal javascript. I´m currently working only on chrome version of the extension and I´ve run into a problem:
When I´m trying to send my data to the api (PATCH request), chrome won´t let me saying:
XMLHttpRequest cannot load http://my.rest/api. Origin http://website.com is not allowed by Access-Control-Allow-Origin.
I have the Access-Control-Allow-Headers, Methods and Origin all set to proper values, but it still doesn´t work. It works with GET requests though. I´ve also tried POST and PUT request but those don´t work either.
Here are my headers:
Request:
OPTIONS /some/api/path HTTP/1.1
Host: my.rest
Connection: keep-alive
Access-Control-Request-Method: PATCH
Origin: http://website.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
X-FireLogger: 1.1
Access-Control-Request-Headers: accept, x-http-auth-user, x-http-auth-token, origin, content-type
Accept: */*
Referer: http://website.com/index.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: cs-CZ,cs;q=0.8
Response:
Access-Control-Allow-Headers:accept, x-http-auth-user, x-http-auth-token, origin, content-type
Access-Control-Allow-Methods:PATCH
Access-Control-Allow-Origin:*
Connection:Keep-Alive
Content-Type:text/html; charset=utf-8
Date:Thu, 04 Jul 2013 10:50:08 GMT
Keep-Alive:timeout=5, max=100
Server:Apache/2.4.2 (Win64) PHP/5.4.3
X-Frame-Options:SAMEORIGIN
X-Powered-By:Nette Framework
I´ve also tried setting Access-Control-Allow-Origin to exactly same value as Origin header, but it didn´t work. Furthemore it seems to be working in Firefox. I have Chrome 27, which should be up-to-date.
723
Simply activate the add-on and perform the request. CORS or Cross-Origin Resource Sharing is blocked in modern browsers by default (in JavaScript APIs). Installing this add-on will allow you to unblock this feature.
If you're using Chrome, starting it from the terminal with the --allow-file-access-from-files option might help you out. Yeah, it's not really cross-domain when the file is in the same folder as the webpage, now is it... I found that if you use Firefox instead of Chrome, the problem goes away.
List of feature: - Allow cross domain - Customize Url pattern base on Javascript Regex - Allow enable, disable - Very friendly interface Under the hood: This extension allow Cross-Origin Resource Sharing (CORS) by modify header response from server and add more header to allow CORS request: Access-control-allow-origin ...
Cross domain issues arise when data from one domain is used in another domain, without the proper permissions. Domains are used to keep data separate and secure. Cross domain issues arise when data from one domain is used in another domain, without the proper permissions.
I face a similar problem in node.js with CORS
You need to set the Access-Control-Allow-Origin to the specific domain not a wildcard.
Example: Access-Control-Allow-Origin to http://website.com
(You can have on your server an array of origins allowed and check against the request if it is allowed then answer with that one instead of wildcards.)
Also, you can set the Access-Control-Allow-Methods headers to a list of options like:
POST, GET, OPTIONS, DELETE, PUT
you should allow OPTIONS in your response header..
"Access-Control-Allow-Methods ", "GET, POST,HEAD, OPTIONS,PUT, DELETE"
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
