Everthing has been work absolutely fine - until I upgraded to a later version of ServiceStack recently - I'm now on version 4.0.35.0
Public Overrides Sub Configure(container As Funq.Container)
Dim appSettings = New AppSettings() 'Gets settings from web.config
...
Plugins.Add(New CorsFeature(allowOriginWhitelist:={"http://localhost:8888", "http://site1.abc.com", "http://site2.abc.com", "http://site3.abc.com"}, allowedMethods:="GET, POST, PUT, DELETE, OPTIONS", allowedHeaders:="Content-Type, Authorization", allowCredentials:=True))
End Sub
Error being received is:
XMLHttpRequest cannot load https://site1.abc.com/auth/credentials.
The 'Access-Control-Allow-Origin' header contains multiple values 'http://site1.abc.com, http://site1.abc.com',
but only one is allowed. Origin 'http://site1.abc.com' is therefore not allowed access.
The call is being made from site1.abc.com and interestingly its saying that its in their twice - but it definately isnt.
Any clues as to what's going on
I do need multiple sites calling an API on a single endpoint with credentials.
Thanks
Terry
This issue should now be resolved with the v4.0.36 Release of ServiceStack that's now available on NuGet.
Related
Getting this error:
Access to fetch at 'https://myurl.azurewebsites.net/Player/1' from origin 'http://localhost:19006' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I'm not the first with this error, but I feel like I have tried everything that one can find through searching for the problem. I'm developing a web API with ASP.net core, that's supposed to communicate with my react-native frontend. Problem is, I cannot for the life of me get the connection to work.
In program.cs I have added
var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
builder.Services.AddCors(options =>
{
options.AddPolicy(name: MyAllowSpecificOrigins,
policy =>
{
policy.AllowAnyMethod();
policy.AllowAnyHeader();
policy.AllowAnyOrigin();
});
});
and
app.UseCors(MyAllowSpecificOrigins);
I have tried adding no cors to the method itself
[DisableCors]
[HttpGet("{id}")]
public List<Player> GetPlayers(int id)
{
return (from c in _context.Player.Take(1)
where c.PlayerId == id
select c).ToList();
}
I even deployed the server and database on Azure (I was supposed to sooner or later anyway) just hoping that would allow me to get it to work. The API runs fine if I visit the URL and run it through that one. It also works great if I host it locally and go through the web.
On Azure I've changed my cors settings to allow everything:
I can even access the API through expo web if I run it locally at the same time. But I need to be able to do it through my phone as well, or at least an android emulator. Neither of those works for neither a locally hosted server, or one that's on Azure.
How can I solve this?
Actually, shortly after setting my Azure cors settings, it did indeed start to work. Finally, I can at least demo it. Unfortunately, I still have no solution that solves it when hosting locally.
While testing the API definition of my Azure Function (within the portal) I get this CORS error:
This is a cross-origin call. Make sure the server at ***.azurewebsites.net accepts POST requests from functions.azure.com. Learn more
I verified that this is listed as a CORS allowed origin within the function settings:
https://functions.azure.com
Am I missing something?
I cannot reproduce this on my side.
I added the following to ALLOWED ORIGINS:
The output in the Azure portal:
I also test it by making a POST request to the function in the browser via jQuery:
If you want us to dive into this problem you may need to provide detailed steps to reproduce.
The problem turned out to be the API definition. CORS was working fine although that was indicated as the problem in the error messages. The missing piece in the API definition was
security: []
which was missing in the POST section. I guess the security entry is required even if it's empty. It would've been nice if there was a warning that this was missing.
Created custom provider that implements: OAuthProvider, IAuthWithRequest.
Created AuthenticateAttribute that calls PreAuthenticate() method of the provider.
Configured CorsFeature:
Plugins.Add(new CorsFeature(new[] { "http://localhost:23589", "*" },
allowCredentials: true,
allowedHeaders: "Content-Type, Allow, Authorization"));
Problem: when provider's Authenticate method is called to request a code from
"login.microsoftonline.com" (authService.Redirect(PreAuthUrlFilter(this, codeRequest)); ) the following error is thrown:
XMLHttpRequest cannot load https://login.microsoftonline.com/d331431b-899c-4666-8094-e82e6bfc3964/oaut…orts%2fpbi&scope=user_impersonation&state=f8e986304a47427d8c6a76767f2ef573. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:23589' is therefore not allowed access.
What is the correct way to:
Request an auth code from Microsoft
Get the code back in a query string
Request auth Token using the code
Authorization Code Grant Flow Diagram
Have a look at ServiceStack.Authentication.Aad. At a minimum this should offer a unit-tested reference implementation. Or perhaps you can use the NuGet package directly.
I encourage you to clone the repository where you can step through the stand-alone SelfHostTest as well as unit tests.
To my knowledge, CORS should not be necessary. I may be wrong. But in my implementation the JSON responses coming from Microsoft were handled by the server, not the web browser.
I'm sorry for not including a code sample in this response; it would be difficult to take a single snippet of code from that repository. The entire repository is the answer to your fundamental question.
Full disclosure: I'm the author of that plugin and garner Imaginary Internet Points for its use.
Using a browser REST client to POST to the activity stream at e.g.
https://connectionsww.demos.ibm.com/connections/opensocial/basic/rest/activitystreams/#me/#all
...with the settings prescribed in IBM Connections OpenSocial API > POSTing new events
...results in the following response:
<error xmlns="http://www.ibm.com/xmlns/prod/sn">
<code>403</code>
<message>You are not authorized to perform the requested action.</message>
<trace></trace>
</error>
What am I missing?
This same approach works nicely on IBM Connections 4.0.
Which setting needs 'switching on'?
Try a URL like this... https://sbtdev.swg.usma.ibm.com:444/connections/opensocial/basic/rest/activitystreams/#me/#all
I added the Basic/Rest component, and it worked for me.
1 - Added URL https://sbtdev.swg.usma.ibm.com:444/connections/opensocial/basic/rest/activitystreams/#me/#all
2 - Changed Method to Post
3 - Added Content-Type: application/json
4 - Authentication -> Basic
5 - Logged IN
6 - Posted
Same thing here: 403 when I make an AJAX call to an IBM Connections 6.0 REST API url. Same error in Chrome, Firefox and IE11. When I open the same URL in a separate browser tab, everything works fine.
Comparing the http headers of both calls, and fiddling with Postman, the diference is the presence and value of the atribute Origin.
Seems that Connections allows calls from its own server. For example, when: Origin: connections.mycompany.com.
It also allows calls when Origin is not defined, which happens when the url is called from a separate browser tab.
There is a doc at IBMs Support site that confirms this - http://www-01.ibm.com/support/docview.wss?uid=swg21999210. It also suggests a workaround that did the job for me: unsetting the Origin attribute in the IBM HTTP Server that is in front of your Connections instance. Add the lines below to the httpd.conf file:
Header unset Origin
RequestHeader unset Origin
I'm trying to get CORS working on my trigger.io app:
I've got the following setup in my .htaccess
Header set Access-Control-Allow-Headers: "Accept,Origin,Content-Type,X-Requested-With"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE,OPTIONS"
Header set Access-Control-Allow-Credentials: "true"
Header set Access-Control-Allow-Origin "http://localhost:3000,content://io.trigger.forge99d5a0b8621e11e28cc2123139286d0c"
Running the trigger App in the web (localhost:3000) works fine.
But when I deploy it to an (android) device I see the following error in the debug output:
[ERROR] XMLHttpRequest cannot load {link}http://mydevtest.lan/api/auth/currentuser.{/link} Origin content://io.trigger.forge99d5a0b8621e11e28cc2123139286d0c is not allowed by Access-Control-Allow-Origin. -- From line 1 of null
I'm fearing that setting content:// in the Access-Control-Allow-Origin header is not legal.
The Access-Control-Allow-Origin header as you have it is invalid. Valid values are either '*', or a space separated list of origins. One of the following should work:
Header set Access-Control-Allow-Origin "*"
or
Header set Access-Control-Allow-Origin "http://localhost:3000 content://io.trigger.forge99d5a0b8621e11e28cc2123139286d0c"
Note that I've never tested the latter form (with multiple origins). While the CORS spec allows it, browsers may not yet support it.
One other thing you could do is read in the value of the Origin header, validate it on your server (i.e. manually check that the value equals either "http://localhost:3000" or "content://io.trigger.forge99d5a0b8621e11e28cc2123139286d0c"), and then echo only that value in the Access-Control-Allow-Origin response header. However this requires a little more work since it introduces some server-side conditional processing.
I also fear that content:// is not allowed in CORS, could you try setting Access-Control-Allow_origin to *, if that works then that is probably the problem.
A better solution would be to avoid doing XHR requests and use forge.request.ajax which will make the request from native code and avoid any cross domain restrictions. You can find the documentation for that here http://docs.trigger.io/en/v1.4/modules/request.html#modules-request