Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is same origin policy kicking in when making request from localhost to localhost?

I'm keeping the backend API as a separate project from the frontend HTML5 app consuming it. I'm using Yeoman for the frontend development. Yeoman runs on localhost:3501 and the backend on localhost:3000. When I make the API request from the browser (using AngularJS's $http), I hit the same origin policy:

XMLHttpRequest cannot load http://localhost:3000/venues. Origin http://localhost:3501 is not allowed by Access-Control-Allow-Origin.

AFAIK, same origin policy should kick in only when making request across different domains. Why is it whining when we do a request from localhost to localhost (albeit to different port)?

How can I make this work and will this cause problems in production?

like image 421
randomguy Avatar asked Jan 10 '13 16:01

randomguy


People also ask

How do you solve the same-origin policy?

Changing Origin Occasionally, the same origin policy may block requests between subdomains on the same domain. The easiest way to solve this problem is to set document. domain from within JavaScript.

Which is blocked by the same-origin policy by default?

The same-origin policy is a foundational building block of web security. It essentially defines protection domains which are used to restrict actions and access to web resources. One such restriction is that scrips executing on http://example.com are not allowed to access resources on http://subdomain.example.com .

What is same-origin policy how you can avoid same-origin policy?

In computing, the same-origin policy (sometimes abbreviated as SOP) is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

What is same-origin policy and Cors?

The same-origin policy is an important security feature of any modern browser. Its purpose is to restrict cross-origin interactions between documents, scripts, or media files from one origin to a web page with a different origin. The HTTP protocol was extremely simple when it was first created.


2 Answers

The ports also count for cross domain requests, therefore http://localhost:3000 and http://localhost:3501 are 2 different domains (from browser's point of view).

If you need both applications (client and backend) to run on different ports, consider using http://enable-cors.org/

like image 157
bmleite Avatar answered Nov 15 '22 09:11

bmleite


According to W3C, "An origin is defined by the scheme, host, and port of a URL", so the different port is causing your problems.

Two possible solutions:

  • CORS (Cross Origin Resource Sharing)
  • Using JSONP requests

Both would require changes to your backend (I'm not familiar enough wo. CORS would probably mean the least changes to your frontend (I think AngularJS supports it out-of-the-box).

like image 33
robertklep Avatar answered Nov 15 '22 09:11

robertklep