NYC News

Default my magento store is loading without index.php. Site is secured. for both there are rewrite rules in .htaccess file which are working fine. I have implemented following code in .htaccess file, this is not working when i am loading the website. but if Load it by appending index.php CORS fix is working. https://domain.com/index.php --- CORS working fine https://domain.com - CORS not working.

What is the best options for the following case ?
Need to send Get request with cross doamin origin with header authentication.
Its working fine in chrome and firefox , but having issue in safari and IE
also in random cases it returns 401.

<script>
var url = 'username:password@anotherdo...';
$.ajax({
url: url,
dataType: 'jsonp',
jsonpCallback: "callback",
success: function(json) {
alert(json);
}
});
</script>

Hello @remysharp:disqus , I don't know if things have changed since you wrote this code or if I'm doing something wrong, but this isn't working for me, even the example (http://output.jsbin.com/oxi...) throws me an error (XMLHttpRequest cannot load http://remysharp.com/demo/c.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://output.jsbin.com' is therefore not allowed access.) and I've tried a lot of things to make it work with my own implementation (http://stackoverflow.com/qu...) and still nothing. I'd appreciate if you could please check it :)

nicely explained ... thanks

Thanks for the useful article. Could you provide an javascript/ jquery example of detecting request method if is OPTIONS? You have provided example for PHP but I would need it in js. Thanks a lot.

i have a question related to CORS with PHP
i doing an experiment using CORS with PHP i tried a simple example and i am done and work fine, i want to do the preflight request using delete method but i didn't succeeded can you provide an example of preflight request using delete method as i am following the book of cors in Action, but in the book using Node.js. i am trying to do it using ajax and javascript

I am lodging CORS requests using Basic Auth (custom Authorization header on every request) from my Angular frontend to my ASP.NET Web API backend (hosted on Azure websites) and the preflight requests are majorly degrading the speed of the angular app. If I were to move across to Bearer tokens using JWT or something similar, surely these are also considered to be "Custom headers" and will also violate the whole CORS "Simple request" thing in the spec, hence triggering preflight OPTIONS request. Confused!

Trying to avoid having to write a complex auth system for what is going to be a small scale project (internal system - 10-20 users)

Great article! Exactly the info I was looking for about OPTIONS and preflight requests! Thanks a million Remy!

Very cool article. Are you currently experiencing any problems with CORS including preflights on iOS 8 or OSX 10.10?
Every browser on every OS is running perfectly, but Safari on both Systems only runs the OPTIONS preflight an no GET is done...
Very frustrating...

Helpful Post, Thanks

Thanks so much! I had actually written code to handle the preflight hairiness, but when $http wasn't sending any preflight I was dumbfounded. Adding the X-Requested-With header fixed that.

Struggling with this issue. I want to avoid doing a preflight, if at all possible. Is any manually added header considered "custom"? I'm adding an Authorization header to use "basic auth". Will this mean jQuery will always generate a preflight request automatically?

Since this is a popular post, let me just add the following.

When you use the current version of jQuery no X-Requested-With is added. However if you still get the OPTIONS preflight it might has to do with the fact that "Content-Type:application/json" is also interpreted as custom header. "Content-Type:application/json" is set by default in Backbone (and probably other modern libs).

I am very confused with the XMLHttpRequest and the XDomainRequest reincarnation and would like some help. So here are my findings:

The XDomainRequest in IE8 and IE9 seems to be some kind of XMLHttpRequest sub class(?)
The XDomainRequest lacks the "withCredentials"

Also, it submits data as plain/text and not as form forcing you parse you inputstream at the back end.
Even if the CORS server "Allow-Headers" directive allows for the Set-Cookie to be read by the client, the XDomainRequest does not expose it making impossible to use cookie stored session iDs to be used for authentication.
Finally if I am not wrong, it allows only POST and GET http methods rendering it useless for RestFull web services.
This list is by no means complete and as I said it is based on my findings. However, here is where the confusion starts. I have an application where via Ajax I must:

Obtain (cross domain) via GET an encryption key along with a session id associated with it.
Encrypt my user password using this key (no problem here)
Login to the cross domain (where I got the key at step 1) using the POST and x-www-form-urlencoded username and the encrypted password.
Now for all the above reasons I cannot do this with the XDomainRequest:

First because the XDomainRequest:open(method, url) sends only plain text and my third party application is expecting form (I can write a filter/request interceptor but this is not the point).
Because my session id that arrives with the encryption key (step 1) is never sent back to the cross domain when login as a header since the XDomainRequest does not expose headers.
Nevertheless if in IE8 and IE9 I instantiate a XMLHttpRequest disregarding, all is working fine!!! OK I do not get the onload event and I am not sure what is the story with the "withcredentials" but IE8 and IE9 seems to have no problem using the XMLHttpRequest for cross domain. But why? Aren't all these contradictory? I am just trying to make some sense of this issue as I am afraid that using the XMLHttpRequest in IE8 and IE9 may come back and bite at some point.

So unless if I am mistaken, either the XDomainRequest is practically useless or I somehow managed to bypass the whole CORS notion on IE9 and IE8.

Any suggestion will be greatly appreciated Yiannis

Thank you very much. I now have code that POSTs data to another domain both in IE8+ and real browsers. Let me give you my js samples and server side Java, hopefully it helps someone. The core js is plain js, for unimportant code I use jquery:

``
function submitText(text){
if (jQuery.browser.msie){
var xdr = new XDomainRequest();
xdr.open('POST', 'http://otherdomain.semantacorp.com:8080/plugins/inexutils/createpage.action');
xdr.onload = function () {
jQuery('#lubo-test').html(this.responseText);
};
xdr.send("parent=4587526&template=ask&labels=setmeta-state-open,question&fromPage=4587526&reltype=created-question&content="+escape(text)+"&title=toto+je+kratkej+text&meta_objecttype=question");
} else {
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://otherdomain.semantacorp.com:8080/plugins/inexutils/createpage.action');
xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');
xhr.onreadystatechange = function () {
if (this.status == 200 && this.readyState == 4) {
jQuery('#lubo-test').html(this.responseText);
}
};
xhr.send("parent=4587526&template=ask&labels=setmeta-state-open,question&fromPage=4587526&reltype=created-question&content="+escape(text)+"&title=toto+je+kratkej+text&meta_objecttype=question");
}
}

jQuery(document).ready(function(){
jQuery("#xxxx").click(function(){
var text = jQuery('textarea[name=text]').val();
submitText(text);
});
});

Now, the server-side is Java within Confluence, but I guess you get the gist:

``response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
response.setHeader("Access-Control-Max-Age","1000");
response.setHeader("Access-Control-Allow-Headers","Content-type");
.... the following code is needed for IE8 ...
String text = Tools.convertStreamToString(request.getInputStream());
... and now parse the text var, which is like labels=blabla&fromPage=blabla....
.. for other browsers this would work: ...
String _parent = request.getParameter("parent");

Hello

I have a problem making this work:
I can do a post just fine and it's processed, but no response is returned.

What kind of response should I make for a post in order to receive it in browser, right now I get no response body other than headers transfer encoding chunked

Thanks

I think your PHP code implementing the preflight response is wrong. It does not check for the Origin header. In http://www.w3.org/TR/cors/ , it says:

If [in the preflight request] the Origin header is not present terminate this set of steps. The request is outside the scope of this specification.

According to my reading of that statement, your resource server should verify that the Origin header is present in the request and non-empty before responding with anything that includes Access-Control-Xxx-Xxxx .

See sec 6.2 of that document, "Preflight Request".

I am a PHP developer since many months (10+), but haven't worked on any cross domain Ajax. You article came in time, I was thinking of learning it. Thanks

I had the exact same headscratching experience.

Note that, for awhile, (haven't seen if it was fixed) Chrome's net panel/dev tools weren't even telling me that it was making an OPTIONS request that was failing: it simply threw an X-domain error without explanation, and I was baffled until checking Firebug. Once I set the right header on OPTION, all was well again. And then jQuery fixed the bug causing the unnecessary preflight, and all was really well.

Of course, CORS is just weird in general. It really does nothing to fix the security issues that make cross-domain requests so dangerous: a server that wants to send malicious code will, of course, WANT to allow people to access it cross-domain.

Also, not triggering a preflight saves you a roundtrip.

Yeah CORS can be tricky. Especially as when browsers throw random cryptic messages, if any at all, when something goes wrong. The network tabs all do different stuff, some show the preflight, others don't. This is especially problematic when things go bad and you have no idea whether it's a client or server issue.

I believe I had set it up for Chrome, but then firefox demanded a different header as well. Then later IE demanded another header as well. It's not easy being blue...

But when it works... :p

As for jQuery, the check to add X-Requested-With or not is new to the very recent 1.5.2.

cf http://bugs.jquery.com/tick...