The forum of the forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

CORS Ajax?

3 posters

Go down

CORS Ajax? Empty CORS Ajax?

Post by Ultron's Vision June 3rd 2013, 7:28 pm

Basically, I'm trying to do some CORS (Cross-Origin Resource Sharing) Ajax (Asynchronous JavaScript and XML) via forumotion, but forumotion vehemently denies that by spitting this error in the console:
XMLHttpRequest cannot load [URL removed]. Origin [my forum URL] is not allowed by Access-Control-Allow-Origin. page_html:1

I researched some topics on the internet and it seems that forumotion header isn't allowing any CORS Requests.
Is there any way I could possibly get this enabled for me? Thanks in advance!


Last edited by Ultron's Vision on June 4th 2013, 10:29 pm; edited 1 time in total
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Ultron's Vision June 4th 2013, 7:28 pm

Hope this isn't counted as double post because it's been only 23:59 hours...

I tried adding a <meta http-equiv="Allow-Origin-Access-Control" content="*"> to my simple_header templates, but it's not appearing in my source code.

Any other suggestions?

EDIT: It's all solved, I had to set the Access-Control-Allow-Origin on MY SERVER, not on forumotion to *. Sorry for making a big deal out of this Mad

EDIT 2: It worked once but then it kept returning the old error. I've tried and tried, someone please help ._.
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Nostra June 5th 2013, 8:22 am

Huh, you will NEVER get cross domain ajax requests... except if you are using JSON or JSONp or just get a script.

It is not connected with servers' or sites' config but with world-wide standarts about privacy and security. JS won't let you get others' data Razz

You have to find a way to get data in JSON format. That's all.


Watchin' u all,
Nostra
Nostra
Nostra
Forumember

Female Posts : 30
Reputation : 3
Language : .it
Location : Neverland

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Ultron's Vision June 5th 2013, 9:04 am

CORS is a thing, you know, and it does work. Besides, both sites are owned by me (well, the sub-domains are, of course I do not own forumotion or my web hoster), my HTTP header is accordingly set on the side I'm trying to post data to.
Code:
<?php
header('Access-Origin-Allow-Control: *');
...
?>
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Nostra June 5th 2013, 9:19 am

Hey, JavaScript won't let you do this ◕‿‿◕ only JSON and scripts responses are allowed. You can do anything with your servers but browser will just block such suspicious manipulations. Well, you will be able to post some data but don't await for any response.

My sites and forumotion boards do use cross-domain ajax. They fetch data in JSONp format.

You have to either use one domain or use JSON format.
Nostra
Nostra
Forumember

Female Posts : 30
Reputation : 3
Language : .it
Location : Neverland

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Ultron's Vision June 5th 2013, 9:22 am

Fine, I was going to use JSON in the end, either way, I've been experimenting with sending plain text to the server and then save that data to an SQL database.

Anyway, I'll try with JSON.
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by LGforum June 12th 2013, 1:35 pm

Nostra... That's not really true at all.

A server can return any response to a request. An AJAX request is just the same as a HTTP request (well it IS a HTTP request) and so can give any response as long as the server dictates the correct mime type. 

I'm not sure you're understanding what JSON is. It is not a language or a type of reply... it is simply a notation method. It is simply the act of writing your plain text response in JSON formatting so it can be parsed into a Javascript object.

I use CORS and I give a non-JSON response. I could give any response as long as I set the correct MIME type. There's no malicious activity going on and the browser knows that due to the server giving access to the referrer.
LGforum
LGforum
Hyperactive

Male Posts : 2265
Reputation : 264
Language : English
Location : UK

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Ultron's Vision June 12th 2013, 1:50 pm

Okay, thanks for clarifying this.

Even though my HTTP header is set correctly and my meta tag indicate that all content from my forum is allowed to access my site, I still get an error before sending data :/

Would you mind taking a look at it, LG? Smile
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by LGforum June 12th 2013, 2:04 pm

Make sure you're allowing GET requests.

For Avacweb I'd be setting these headers server-side:
Code:
header('Access-Control-Allow-Origin: http://www.avacweb.com');
header('Access-Control-Allow-Methods: GET');

There's no need to allow POST requests as you shouldn't use cross domain post requests just yet as even recent versions of IE have difficulties with it.

A good Javascript function for handling the request would be this:
Code:
function cors_request(url, data, callback) {
   if(data) url += (url.indexOf('?') === -1 ? '?' : '&') + data;
   var xhr = new XMLHttpRequest();
   if ("withCredentials" in xhr) {
      xhr.open('GET', url, true);
   }
   else if (typeof XDomainRequest != "undefined") {
      xhr = new XDomainRequest;
      xhr.open('GET', url);
   }
   else {
      xhr = null; // decide what to do with browsers not supporting.
   }
   if (xhr) {
      xhr.onload = function() { if(callback) callback.call(xhr, xhr.responseText); }
      xhr.send();
   }
};

Then you use it as such:
Code:
cors_request('http://yourserver.com/yourphpfile.php', 'item1=value1&item2=value2', function(response) {
    // the request has completed and replied. Now do something with our response.
    alert(response);
});

Hope that helps!
LGforum
LGforum
Hyperactive

Male Posts : 2265
Reputation : 264
Language : English
Location : UK

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Ultron's Vision June 12th 2013, 2:12 pm

Mmm, I'd rather have it post the data as anyone who can trace the .php file can add misc. get vars into the URL and save them on my database (that's what I am trying to do with the request - logging user activity in a certain forum only few people are actually permitted to see while admins aren't for the sake of fairness; it's not that I do not trust my fellow admins but I am quite paranoid, hahah...), but I will try either way.

Using document.getElementById('i_icon_mini_logout').getAttribute('alt').toString().slice(10,-2) seems like a good way to capture the username or is there another, shorter option?
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by LGforum June 12th 2013, 2:29 pm

Understandable, but the problem still remains with POST requests. Anyone can fake a post request or post data. Don't forget though the requests can only come from your domain, so people can't type things into the address bar, because then there is no referrer. Checking the $_SERVER['HTTP_REFERER'] value will help server side too. It can also be faked, but now your moving out of the knowledge of regular people.
You're options are:
- Validating the data that comes in... which is important anyway of course. But maybe making a list of the acceptable usernames that can be sent, and checking the sent username against that list.
- Encoding the sent data so people aren't really sure what data you're sending and will not know how or why to duplicate or fake a request.
- Checking the referrer is your forum.
- Maybe even dealing with unique ID numbers which only have a limited time on them.

A good way of grabbing the username is putting this in your site description:
Code:
<script>var username = '{USERNAME*}';</script>
I say site description because its the first place within the DOM where the FM variables will be parsed.

When working with databases and server side though, you're better off working with the user ID.
LGforum
LGforum
Hyperactive

Male Posts : 2265
Reputation : 264
Language : English
Location : UK

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Ultron's Vision June 12th 2013, 2:50 pm

Fair enough. How would I approach fetching the UID reliably?
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by LGforum June 12th 2013, 3:09 pm

Here's a brilliant way of getting the User ID. It can be in a Javascript file right at the top so the user ID is available immeditately:
Code:
var USER_ID = (function() {
    var c = my_getcookie('fa_' + location.host.replace(/\./g, '_') + '_data');
    if(c) {
        c = c.split(':');
        return parseInt( c[ c.length - 1 ].replace(/\D/g, '') );
    }
    return 0;
})();
The user ID will be an integer not string, and will be 0 for guests.
LGforum
LGforum
Hyperactive

Male Posts : 2265
Reputation : 264
Language : English
Location : UK

Back to top Go down

CORS Ajax? Empty Re: CORS Ajax?

Post by Ultron's Vision June 12th 2013, 3:12 pm

Thank you for your valuable input!
I'll give this a shot the instant I'm on my PC again (which would be Saturday).
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum