So I've got this Go http handler that stores some POST content into the datastore and retrieves some other info in response. On the back-end I use:
func handleMessageQueue(w http.ResponseWriter, r *http.Request) { w.Header().Set("Access-Control-Allow-Origin", "*") if r.Method == "POST" { c := appengine.NewContext(r) body, _ := ioutil.ReadAll(r.Body) auth := string(body[:]) r.Body.Close() q := datastore.NewQuery("Message").Order("-Date") var msg []Message key, err := q.GetAll(c, &msg) if err != nil { c.Errorf("fetching msg: %v", err) return } w.Header().Set("Content-Type", "application/json") jsonMsg, err := json.Marshal(msg) msgstr := string(jsonMsg) fmt.Fprint(w, msgstr) return } }
In my firefox OS app I use:
var message = "content"; request = new XMLHttpRequest(); request.open('POST', 'http://localhost:8080/msgs', true); request.onload = function () { if (request.status >= 200 && request.status < 400) { // Success! data = JSON.parse(request.responseText); console.log(data); } else { // We reached our target server, but it returned an error console.log("server error"); } }; request.onerror = function () { // There was a connection error of some sort console.log("connection error"); }; request.send(message);
The incoming part all works along and such. However, my response is getting blocked. Giving me the following message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8080/msgs. This can be fixed by moving the resource to the same domain or enabling CORS.
I tried a lot of other things but there is no way I can just get a response from the server. However when I change my Go POST method into GET and access the page through the browser I get the data that I want so bad. I can't really decide which side goes wrong and why: it might be that Go shouldn't block these kinds of requests, but it also might be that my javascript is illegal.
Cross-Origin Read Blocking (CORB) is an algorithm that can identify and block dubious cross-origin resource loads in web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.
@Egidius, when creating an XMLHttpRequest, you should use
var xhr = new XMLHttpRequest({mozSystem: true});
What is mozSystem?
mozSystem Boolean: Setting this flag to true allows making cross-site connections without requiring the server to opt-in using CORS. Requires setting mozAnon: true, i.e. this can't be combined with sending cookies or other user credentials. This only works in privileged (reviewed) apps; it does not work on arbitrary webpages loaded in Firefox.
Changes to your Manifest
On your manifest, do not forget to include this line on your permissions:
"permissions": { "systemXHR" : {}, }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With