I have a client in a workspace and server side in the another workspace.
I have Cross orgin in the server workspace.
res.header('Access-Conrol-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'POST, GET, PUT, DELETE, OPTIONS');
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Max-Age', '86400');
res.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');
But While calling from the client side getting below error
Mixed Content: The page at 'https://blogclient-vignesh55.c9users.io/?_c9_id=livepreview1&_c9_host=https://ide.c9.io#/home' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://10.237.69.147:15871/cgi-bin/blockpage.cgi?ws-session=18446744072714596624'. This request has been blocked; the content must be served over HTTPS
Your problem here is not the Same Origin Policy, but that your page is mixing http and https calls. Make sure to either use protocol-independent urls like //someurl.com or that you only use one protocol throughout your project.
PS: If you actually read the error message, it tells you exactly this:
the content must be served over HTTPS
and you try to call it via http:
http://xx.xx.xx.xx:15871/cgi-bin/blockpage.cgi?ws-session=XXX
Related
I am currently taking a NodeJS course and learning GraphQL.
The course instructed to set header on the server side like this:
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader(
'Access-Control-Allow-Methods',
'OPTIONS, GET, POST, PUT, PATCH, DELETE'
);
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
if (req.method === 'OPTIONS') {
return res.sendStatus(200);
}
next();
However it keeps giving me a
App.js:122 PUT http://localhost:8080/graphql 405 (Method Not Allowed)
error.
I tried looking at the video multiple times and looking around for answers but found no luck.
Setting the response header Access-Control-Allow-Methods: ..., PUT, ... tells the browsers to allow cross-origin clients, i.e. a 3rd-party website from another domain, to send PUT requests to your backend service. This has nothing to do with the error response 405 (PUT) Method not allowed.
The error 405 (PUT) Method not allowed is returned by your Nodejs app because there is no actions to handle PUT requests to that path in your code.
GraphQL libraries typically use POST. Try sending POST requests to your GraphQL endpoint instead of PUT.
I've set up a Node.js (TypeScript hosted on Google Cloud Platform [GCP]) app for CORS but I'm still getting errors (Origin is not allowed by Access-Control-Allow-Origin) on mobile--desktop works fine.
I've searched but there are so many questions about getting this set up in general, I can't find why it specifically isn't working for mobile.
this.app.use(cors());
this.app.options('*', cors());
...
router.use(function(req, res, next) {
res.header('Content-Type', 'application/json');
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'DELETE,GET,OPTIONS,PATCH,POST');
res.setHeader('Access-Control-Allow-Headers', 'Origin, Accept, Authorization, Content-Type, X-Requested-With, Access-Control-Allow-Headers, Access-Control-Request-Method, Access-Control-Request-Headers');
next();
});
BTW The errors don't appear in the console until a few minutes after the page has loaded. (I've removed the URLs which are valid.)
"XMLHttpRequest cannot load due to access control checks."
"Failed to load resource: Origin is not allowed by Access-Control-Allow-Origin."
The issue was missing data in the DB, so the Node endpoint was not returning properly. The errors had nothing to do with the problem.
I have created one API service using nodejs and it is working fine when I accessing through the browser. But when I'm try to call it from web application (MEAN app), getting the "Failed to load http://localhost:2020/api/posts: Request header field If-Modified-Since is not allowed by Access-Control-Allow-Headers in preflight response" issue.
Following code is added in index.js of the API service.
// Add headers
app.use(function (req, res, next) {
// Website you wish to allow to connect
res.setHeader('Access-Control-Allow-Origin', '*');
// Request methods you wish to allow
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
// Request headers you wish to allow
res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type');
// Set to true if you need the website to include cookies in the requests sent
// to the API (e.g. in case you use sessions)
res.setHeader('Access-Control-Allow-Credentials', true);
// Pass to next layer of middleware
next();
});
and added following lines in controller of the web app,
app.config(["$routeProvider", "$httpProvider", function ($routeProvider, $httpProvider) {
$httpProvider.defaults.headers.common['Access-Control-Allow-Headers'] = '*';
}
]);
But no luck for added the above lines. How to resolve this issue ?
Thanks.
You need to add If-Modified-Since to Access-Control-Allow-Headers in your server code:
res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type,If-Modified-Since');
Also the part where you touch HTTP header on client seems useless to me, I don't think you can do anything with that.
I have web server running node server running on a server. The node server set the in the response header 'Access control' to a specific web site to allow only that website accessing the resources served by my node server:
header["Access-Control-Allow-Origin"] = "https://www.mywebsite.com";
In mywebsite.com when calls are made to get resources from the node server, the request works fine since they are coming from the authorized web site. I tested this on Chrome and FireFox. When I tried the same thing using IE10, the resources were not served ok.
When looking at the header request and response for IE 10, I noticed that the 'origin' is not filled correctly while it was filled ok using Firefox and Chrome.
Here is the Chrome header:
Chrome header values
While IE 10 header was:
Internet Explorer header values for same get request
On IE 10, the origin is filled with 'blob://'
While on Chrome and Firefox the origin web site domain is listed correctly allowing the CORS to work properly.
The resources served by the node server are mbtiles with .pbf that are binary streams.
Any idea why IE10 seems to put incorrect origin in the header request ? and may be a work around or solution for it ?
Thanks
I'm not sure if this will solve your problem but I have never had an issue using this method:
app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', 'http://www.website.com');
res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization, Access-Control-Allow-Credentials');
res.header('Access-Control-Allow-Credentials', 'true');
next();
});
I try to connect from angular to a Express.io socket, but I have error 404 CORS. How can I solve this?
XMLHttpRequest cannot load http://localhost:3000/socket.io/?EIO=3&transport=polling&t=1447367208172-29. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.
If I load this route directly from browser directly, it works well But from localhost:80 angular to localhot:3000 express.io not works.
In my express.io I disabled the CORS, and it works well for the normal ajax requests, but not for socket.io :
app.use(function(req, res, next) {
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');
next();
});
My initialization of socket.io in express.io:
app.http().io()
Are you running this angular app in chrome? I imagine its the same way for most browsers but on chrome CORS will not work with localhost: https://code.google.com/p/chromium/issues/detail?id=67743
What I've done to get around this in the past is alter my hosts (if on Windows). You can also use lvh.me instead of localhost if you do not want to alter your hosts file on Windows.