CORS error on same domain?

javascript python ajax cross-domain cors
101,292

Solution 1

It is only considered to be the same if the protocol, host and port is the same: Same Origin Policy

If you want to enable it you must follow Cross-Origin Resource Sharing (cors) by adding headers. Mozilla has examples

You need to add Access-Control-Allow-Origin as a header in your response. To allow everyone (you should probably NOT do that): 

Access-Control-Allow-Origin: *

If you need to support multiple origins (for example both example.com and www.example.com), set the Access-Control-Allow-Origin in your reply to the value of the Origin-header from the request (after you verified that the Origin is white-listed.)

Also note that some requests send a preflight-request, with an OPTION-method, so if you write your own code you must handle those requests too. See Mozilla for examples.

Solution 2

The port numbers are different.

A request is considered cross-domain if any of the scheme, hostname, or port do not match.

Share:
101,292

Related videos on Youtube

Mr_Pouet
Author by

Mr_Pouet

Not Quite.

Updated on July 14, 2022

Comments

  • Mr_Pouet
    Mr_Pouet almost 2 years

    I'm running into a weird CORS issue right now.

    Here's the error message:

    XMLHttpRequest cannot load http://localhost:8666/routeREST/select?q=[...] 
Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin

    Two servers:

    • localhost:8666/routeREST/ : this is a simple Python Bottle server.
    • localhost:8080/ : Python simpleHTTPserver where I run y Javascript application. This app is executing Ajax requests on the server above.

    Any thought on what could be the problem?

    EDIT:

    And... the port was the problem. Thanks for your answers :)

    If anyone is using a Python bottle server as well, you can follow the answer given on this post to solve the CORS issue: Bottle Py: Enabling CORS for jQuery AJAX requests

    • some
      some over 10 years
      Since they are on different ports there are not the same!
    • Admin
      Admin over 10 years
      The port numbers are different. This might violate Cross Origin rules.
    • Ray Nicholus
      Ray Nicholus over 10 years
      Note that IE doesn't take port number into account.
    • Seldom 'Where's Monica' Needy
      Seldom 'Where's Monica' Needy about 7 years
      @some Most browsers also conclude they're not the same if one has a 'www' and the other doesn't. The devil's in the details.
    • some
      some about 7 years
      @SeldomNeedy example.com, www.example.com, www1.example.com, and mirror.www.example.com are all different domains. example.com, example.com, example.com, example.com:80443 are all from different origins.
    • bvdb
      bvdb over 3 years
      Some webbrowser allow it and others don't . Webbrowser seem to be stuck in the era of monoliths, while all back-ends are migrating to multi-server environments. All selfrespecting websites disable CORS to some degree. How else can you support http+https+websockets+www+loadbalancing+api-servers+... Some security settings are so extreme that everybody disables them and totally miss their point.
    • Micha93
      Micha93 over 3 years
      @RayNicholus no, you are wrong.
  • Zoltán Schmidt
    Zoltán Schmidt almost 8 years
    This should be highlighted with red colour, capitals and bold everywhere where AJAX gets involved.
  • Seldom 'Where's Monica' Needy
    Seldom 'Where's Monica' Needy about 7 years
    As an addendum to this answer, note that 'Access-Control-Allow-Origin: https://example.com' is NOT equivalent to 'Access-Control-Allow-Origin: https://www.example.com'. If your site is accessible via both of those, you should have both in your response-headers.
  • Joseph Lust
    Joseph Lust over 6 years
    Except 443 and 80.
  • Emile Bergeron
    Emile Bergeron over 6 years
    Note that no preflight requests are sent by default for simple requests like GET, POST and HEAD. See the MDN article linked in the answer for additional details.
  • code_monk
    code_monk over 6 years
    including 443 and 80
  • Mike Flynn
    Mike Flynn over 5 years
    @SeldomNeedy you cant have duplicate headers
  • Seldom 'Where's Monica' Needy
    Seldom 'Where's Monica' Needy over 5 years
    @MikeFlynn My wording was admittedly a touch loose, but I wasn't trying to suggest that; the server simply needs to be configured to send the appropriate header, per the request.
  • Ritesh
    Ritesh about 4 years
    How can a confirmation to the problem can be the solution of the problem ? Post the answer dude.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Understanding AJAX CORS and security considerations
Javascript - No 'Access-Control-Allow-Origin' header is present on the requested resource
Is CORS a secure way to do cross-domain AJAX requests?
Solve Cross Origin Resource Sharing with Flask
Origin is not allowed by Access-Control-Allow-Origin
Yii2: How to allow CORS on non-restfull API
Simulating ajax POST call using Python Requests
Android WebView + AJAX local files
Ajax function will not work on mobile browser
Enabling CORS (Cross Origin Request) in Django