I have a reverse proxy server, which redirects you to different services depending on the Host header.
However when making requests to this server using a browser, the Host is always set to the domain name in the URL. I tried:
fetch("http://foo.com", {"headers":{"Host":"bar.foo.com"}})
But it doesn't work
Host is one of the forbidden header names:
A forbidden header name is an HTTP header name that cannot be modified programmatically.
It won't work. You cannot set the forbidden Headers on making the requests through browsers.
You can get the list of forbidden headers here - https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
Similar answers here:
Ajax request: Refused to set unsafe header
Not able to set HTTP Host header on $.ajax request
Related
Here is my scenario:
I am making an ajax request from foo.com to api.bar.com. In the response, it sets some cookies using Set-Cookie header. The domain on the set-cookie header is .bar.com. I am using all steps listed here How to make XMLHttpRequest cross-domain withCredentials, HTTP Authorization (CORS)?
I am able to see and verify (using Chrome extension EditThisCookie) that cookies are being set properly for domain .bar.com.
According to my understanding, when I make an ajax request (using withCredential:true) to cdn.bar.com, , it should include the cookies that were set earlier for domain .bar.com.
These cookies do not get included in the request, I can see it in fiddler. What am I missing here?
EDIT
Cookies DO get included in the request header If I make a request to cdn.bar.com from an origin app.bar.com. The problem only appears when it's called from a different origin foo.com.
The issue was with the SameSite restriction of the cookie. If I change the it from lax to No Restriction then it works fine.
This question already has answers here:
XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header
(11 answers)
Closed 3 years ago.
I've found simple tutorial how to make cross domain json call here
And it works perfectly fine, so i decided to use this example, just change url from:
var url = "http://api.myjson.com/bins/23xvb";
to
var url = "http://dl.sniper.pl/test.json"
Unfortunately changing it returns such an error (in chrome):
XMLHttpRequest cannot load http://dl.sniper.pl/test.json. Response to
preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'null' is therefore not allowed access.
Googling that error didnt provide any answers to find a solution so here's the question:
Why i get such an error and how to solve it?
The http://dl.sniper.pl/ server must be configured to send the Access-Control-Allow-Origin response header in responses to requests for http://dl.sniper.pl/test.json.
But because that server isn’t sending the Access-Control-Allow-Origin response header, your browser is refusing to allow your frontend JavaScript code to access that response.
So you either nust configure the http://dl.sniper.pl/ server to send Access-Control-Allow-Origin or else you can make the request through a CORS proxy.
There’s an open CORS proxy you can make you request through by changing your code to this:
var url = "https://cors-anywhere.herokuapp.com/http://dl.sniper.pl/test.json"
That sends the request through the open CORS proxy https://cors-anywhere.herokuapp.com which adds the Access-Control-Allow-Origin response header to it and then passes that back to your requesting frontend code as the response.
That response with the Access-Control-Allow-Origin response header is what the browser sees, so the browser allows your frontend JavaScript code to actually access the response.
You can also easily set up your own CORS proxy using https://github.com/Rob--W/cors-anywhere/
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS for an explanation of how browsers behave when you send cross-origin requests frontend JavaScript code using XHR or the Fetch API or AJAX methods from JavaScript libraries—and for details about what response headers must be received in order for browsers to allow frontend code to access the responses.
you should configure you server todo this in your htaccess
u need something like this
<RequireAll>
Require all granted
</RequireAll>
I'm trying to set up a site to access CORS-enabled data on my server. My server has an access-control-allow-origin header of www.mysite.com, while the request is coming from a source with an origin header of www.mysite.com:444. The request is a GET request that's trying to fetch some data from my server, which has been set up to serve data to a portion of my app running in an iframe elsewhere on the site.
This request is getting blocked, unfortunately. How can I successfully make this request? Is there a way for me to take the port number off of my origin header, or do I need to modify the access-control-allow-origin header on my server? (And if that's the case, how should I go about doing so?)
You can't edit that header on the client side, that would defeat the point of this security header.
Why not just allow www.mysite.com:444 fully on the server ?
All you need is this on the server:
Access-Control-Allow-Origin: http://www.example.com:444
I want to get data from a JSON file for my webpage, I searched a lot and I failed to find a request that succeeds with HTTPS.
I get this error when I run the HTML file on my machine using jQuery.getJSON():
Origin null is not allowed by Access-Control-Allow-Origin.
Any ideas?
Add this header into an Apache .conf or .htaccess file
Header set Access-Control-Allow-Origin "*"
You may also need to add these:
Header set Access-Control-Allow-Methods POST, GET, OPTIONS
Header set Access-Control-Allow-Headers "X-SOME-HEADER" (additional headers you need to pass)
Header always set Access-Control-Max-Age "(number of seconds to cache results)"
Before you launch for production, you should consider restricting the origin if possible. For example, Access-Control-Allow-Origin: example.com. If the Ajax requests will come from the same server, you should remove these headers entirely when you launch.
I have two URLs:
One is the application URL = http://domain.com/app
One is the application API URL = http://api.domain.com/
How can I get the application to be able to request things from the api at a different subdomain.
I have already tried putting Access-Control-Allow-Origin: * on both sides with no luck.
Thanks
The two servers (not the client) need to send the following headers:
Access-Control-Allow-Origin : Decide which origin could call into the server
Access-Control-Allow-Methods : The method that is allowed to access the resource (GET or POST)
Access-Control-Max-Age : How long the cache is held
You could inspect the headers returned from the server (using Firebug or others) if the servers are supporting cross origin resource sharing.
If you can't modify the two servers to add the headers, one other possibility to set up a proxy that sit between your request and two servers. This proxy could add the headers if you need to access them
If you own admin right to the servers, this CORS page shows how to add the headers in various platforms.
set the cookie domain to .domain.com and you should be all set.. This is what I have done in my application..