Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chrome Cross-Domain PATCH request not working

I have a website with REST Api and now I´m creating a browser extension, which will collect data from some pages and send them back to the REST Api. Because I want my extension to be compatible with both firefox and chrome, and to be easily maintainable, I´m injecting the actual code into page as a script tag, which is then executed like normal javascript. I´m currently working only on chrome version of the extension and I´ve run into a problem:

When I´m trying to send my data to the api (PATCH request), chrome won´t let me saying:

XMLHttpRequest cannot load http://my.rest/api. Origin http://website.com is not allowed by Access-Control-Allow-Origin.

I have the Access-Control-Allow-Headers, Methods and Origin all set to proper values, but it still doesn´t work. It works with GET requests though. I´ve also tried POST and PUT request but those don´t work either.

Here are my headers:

Request:

OPTIONS /some/api/path HTTP/1.1
Host: my.rest
Connection: keep-alive
Access-Control-Request-Method: PATCH
Origin: http://website.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
X-FireLogger: 1.1
Access-Control-Request-Headers: accept, x-http-auth-user, x-http-auth-token, origin, content-type
Accept: */*
Referer: http://website.com/index.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: cs-CZ,cs;q=0.8

Response:

Access-Control-Allow-Headers:accept, x-http-auth-user, x-http-auth-token, origin, content-type
Access-Control-Allow-Methods:PATCH
Access-Control-Allow-Origin:*
Connection:Keep-Alive
Content-Type:text/html; charset=utf-8
Date:Thu, 04 Jul 2013 10:50:08 GMT
Keep-Alive:timeout=5, max=100
Server:Apache/2.4.2 (Win64) PHP/5.4.3
X-Frame-Options:SAMEORIGIN
X-Powered-By:Nette Framework

I´ve also tried setting Access-Control-Allow-Origin to exactly same value as Origin header, but it didn´t work. Furthemore it seems to be working in Firefox. I have Chrome 27, which should be up-to-date.

like image 723
hynner Avatar asked Jul 04 '13 11:07

hynner


People also ask

How do I fix cross-origin request blocked on Chrome?

Simply activate the add-on and perform the request. CORS or Cross-Origin Resource Sharing is blocked in modern browsers by default (in JavaScript APIs). Installing this add-on will allow you to unblock this feature.

How do I fix cross-origin requests are only supported for protocol schemes Chrome Chrome extension https?

If you're using Chrome, starting it from the terminal with the --allow-file-access-from-files option might help you out. Yeah, it's not really cross-domain when the file is in the same folder as the webpage, now is it... I found that if you use Firefox instead of Chrome, the problem goes away.

How do I use cross domain CORS extension?

List of feature: - Allow cross domain - Customize Url pattern base on Javascript Regex - Allow enable, disable - Very friendly interface Under the hood: This extension allow Cross-Origin Resource Sharing (CORS) by modify header response from server and add more header to allow CORS request: Access-control-allow-origin ...

What is cross domain problem?

Cross domain issues arise when data from one domain is used in another domain, without the proper permissions. Domains are used to keep data separate and secure. Cross domain issues arise when data from one domain is used in another domain, without the proper permissions.


2 Answers

I face a similar problem in node.js with CORS

You need to set the Access-Control-Allow-Origin to the specific domain not a wildcard.

Example: Access-Control-Allow-Origin to http://website.com

(You can have on your server an array of origins allowed and check against the request if it is allowed then answer with that one instead of wildcards.)

Also, you can set the Access-Control-Allow-Methods headers to a list of options like:

POST, GET, OPTIONS, DELETE, PUT
like image 118
imekinox Avatar answered Sep 17 '22 15:09

imekinox


you should allow OPTIONS in your response header..

"Access-Control-Allow-Methods ", "GET, POST,HEAD, OPTIONS,PUT, DELETE"

like image 36
Shashank Shukla Avatar answered Sep 20 '22 15:09

Shashank Shukla