Cross-Origin Request Blocked

Question

So I've got this Go http handler that stores some POST content into the datastore and retrieves some other info in response. On the back-end I use:

func handleMessageQueue(w http.ResponseWriter, r *http.Request) {     w.Header().Set("Access-Control-Allow-Origin", "*")     if r.Method == "POST" {          c := appengine.NewContext(r)          body, _ := ioutil.ReadAll(r.Body)          auth := string(body[:])         r.Body.Close()         q := datastore.NewQuery("Message").Order("-Date")          var msg []Message         key, err := q.GetAll(c, &msg)          if err != nil {             c.Errorf("fetching msg: %v", err)             return         }          w.Header().Set("Content-Type", "application/json")         jsonMsg, err := json.Marshal(msg)         msgstr := string(jsonMsg)         fmt.Fprint(w, msgstr)         return     } } 

In my firefox OS app I use:

var message = "content";  request = new XMLHttpRequest(); request.open('POST', 'http://localhost:8080/msgs', true);  request.onload = function () {     if (request.status >= 200 && request.status < 400) {         // Success!         data = JSON.parse(request.responseText);         console.log(data);     } else {         // We reached our target server, but it returned an error         console.log("server error");     } };  request.onerror = function () {     // There was a connection error of some sort     console.log("connection error"); };  request.send(message); 

The incoming part all works along and such. However, my response is getting blocked. Giving me the following message:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8080/msgs. This can be fixed by moving the resource to the same domain or enabling CORS. 

I tried a lot of other things but there is no way I can just get a response from the server. However when I change my Go POST method into GET and access the page through the browser I get the data that I want so bad. I can't really decide which side goes wrong and why: it might be that Go shouldn't block these kinds of requests, but it also might be that my javascript is illegal.

Answer 1

@Egidius, when creating an XMLHttpRequest, you should use

var xhr = new XMLHttpRequest({mozSystem: true}); 

What is mozSystem?

mozSystem Boolean: Setting this flag to true allows making cross-site connections without requiring the server to opt-in using CORS. Requires setting mozAnon: true, i.e. this can't be combined with sending cookies or other user credentials. This only works in privileged (reviewed) apps; it does not work on arbitrary webpages loaded in Firefox.

Changes to your Manifest

On your manifest, do not forget to include this line on your permissions:

"permissions": {        "systemXHR" : {}, }