CORS error on same domain?
Solution 1
It is only considered to be the same if the protocol, host and port is the same: Same Origin Policy
If you want to enable it you must follow Cross-Origin Resource Sharing (cors) by adding headers. Mozilla has examples
You need to add Access-Control-Allow-Origin as a header in your response. To allow everyone (you should probably NOT do that):
Access-Control-Allow-Origin: *
If you need to support multiple origins (for example both example.com
and www.example.com
), set the Access-Control-Allow-Origin
in your reply to the value of the Origin
-header from the request (after you verified that the Origin is white-listed.)
Also note that some requests send a preflight-request, with an OPTION-method, so if you write your own code you must handle those requests too. See Mozilla for examples.
Solution 2
The port numbers are different.
A request is considered cross-domain if any of the scheme, hostname, or port do not match.
Related videos on Youtube
![Mr_Pouet](https://i.stack.imgur.com/836ld.png?s=256&g=1)
Comments
-
Mr_Pouet almost 2 years
I'm running into a weird CORS issue right now.
Here's the error message:
XMLHttpRequest cannot load http://localhost:8666/routeREST/select?q=[...] Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin
Two servers:
- localhost:8666/routeREST/ : this is a simple Python Bottle server.
- localhost:8080/ : Python simpleHTTPserver where I run y Javascript application. This app is executing Ajax requests on the server above.
Any thought on what could be the problem?
EDIT:
And... the port was the problem. Thanks for your answers :)
If anyone is using a Python bottle server as well, you can follow the answer given on this post to solve the CORS issue: Bottle Py: Enabling CORS for jQuery AJAX requests
-
some over 10 yearsSince they are on different ports there are not the same!
-
Admin over 10 yearsThe port numbers are different. This might violate Cross Origin rules.
-
Ray Nicholus over 10 yearsNote that IE doesn't take port number into account.
-
Seldom 'Where's Monica' Needy about 7 years@some Most browsers also conclude they're not the same if one has a 'www' and the other doesn't. The devil's in the details.
-
some about 7 years@SeldomNeedy example.com, www.example.com, www1.example.com, and mirror.www.example.com are all different domains. example.com, example.com, example.com, example.com:80443 are all from different origins.
-
bvdb over 3 yearsSome webbrowser allow it and others don't . Webbrowser seem to be stuck in the era of monoliths, while all back-ends are migrating to multi-server environments. All selfrespecting websites disable CORS to some degree. How else can you support http+https+websockets+www+loadbalancing+api-servers+... Some security settings are so extreme that everybody disables them and totally miss their point.
-
Micha93 over 3 years@RayNicholus no, you are wrong.
-
Zoltán Schmidt almost 8 yearsThis should be highlighted with red colour, capitals and bold everywhere where AJAX gets involved.
-
Seldom 'Where's Monica' Needy about 7 yearsAs an addendum to this answer, note that
'Access-Control-Allow-Origin: https://example.com'
is NOT equivalent to'Access-Control-Allow-Origin: https://www.example.com'
. If your site is accessible via both of those, you should have both in your response-headers. -
Joseph Lust over 6 yearsExcept 443 and 80.
-
Emile Bergeron over 6 yearsNote that no preflight requests are sent by default for simple requests like
GET
,POST
andHEAD
. See the MDN article linked in the answer for additional details. -
code_monk over 6 yearsincluding 443 and 80
-
Mike Flynn over 5 years@SeldomNeedy you cant have duplicate headers
-
Seldom 'Where's Monica' Needy over 5 years@MikeFlynn My wording was admittedly a touch loose, but I wasn't trying to suggest that; the server simply needs to be configured to send the appropriate header, per the request.
-
Ritesh about 4 yearsHow can a confirmation to the problem can be the solution of the problem ? Post the answer dude.