CORS Ajax?
3 posters
Page 1 of 1
CORS Ajax?
Basically, I'm trying to do some CORS (Cross-Origin Resource Sharing) Ajax (Asynchronous JavaScript and XML) via forumotion, but forumotion vehemently denies that by spitting this error in the console:
XMLHttpRequest cannot load [URL removed]. Origin [my forum URL] is not allowed by Access-Control-Allow-Origin. page_html:1
I researched some topics on the internet and it seems that forumotion header isn't allowing any CORS Requests.
Is there any way I could possibly get this enabled for me? Thanks in advance!
XMLHttpRequest cannot load [URL removed]. Origin [my forum URL] is not allowed by Access-Control-Allow-Origin. page_html:1
I researched some topics on the internet and it seems that forumotion header isn't allowing any CORS Requests.
Is there any way I could possibly get this enabled for me? Thanks in advance!
Last edited by Ultron's Vision on June 4th 2013, 10:29 pm; edited 1 time in total
Re: CORS Ajax?
Hope this isn't counted as double post because it's been only 23:59 hours...
I tried adding a <meta http-equiv="Allow-Origin-Access-Control" content="*"> to my simple_header templates, but it's not appearing in my source code.
Any other suggestions?
EDIT: It's all solved, I had to set the Access-Control-Allow-Origin on MY SERVER, not on forumotion to *. Sorry for making a big deal out of this
EDIT 2: It worked once but then it kept returning the old error. I've tried and tried, someone please help ._.
I tried adding a <meta http-equiv="Allow-Origin-Access-Control" content="*"> to my simple_header templates, but it's not appearing in my source code.
Any other suggestions?
EDIT: It's all solved, I had to set the Access-Control-Allow-Origin on MY SERVER, not on forumotion to *. Sorry for making a big deal out of this
EDIT 2: It worked once but then it kept returning the old error. I've tried and tried, someone please help ._.
Re: CORS Ajax?
Huh, you will NEVER get cross domain ajax requests... except if you are using JSON or JSONp or just get a script.
It is not connected with servers' or sites' config but with world-wide standarts about privacy and security. JS won't let you get others' data
You have to find a way to get data in JSON format. That's all.
Watchin' u all,
Nostra
It is not connected with servers' or sites' config but with world-wide standarts about privacy and security. JS won't let you get others' data
You have to find a way to get data in JSON format. That's all.
Watchin' u all,
Nostra
Nostra- Forumember
- Posts : 30
Reputation : 3
Language : .it
Location : Neverland
Re: CORS Ajax?
CORS is a thing, you know, and it does work. Besides, both sites are owned by me (well, the sub-domains are, of course I do not own forumotion or my web hoster), my HTTP header is accordingly set on the side I'm trying to post data to.
- Code:
<?php
header('Access-Origin-Allow-Control: *');
...
?>
Re: CORS Ajax?
Hey, JavaScript won't let you do this ◕‿‿◕ only JSON and scripts responses are allowed. You can do anything with your servers but browser will just block such suspicious manipulations. Well, you will be able to post some data but don't await for any response.
My sites and forumotion boards do use cross-domain ajax. They fetch data in JSONp format.
You have to either use one domain or use JSON format.
My sites and forumotion boards do use cross-domain ajax. They fetch data in JSONp format.
You have to either use one domain or use JSON format.
Nostra- Forumember
- Posts : 30
Reputation : 3
Language : .it
Location : Neverland
Re: CORS Ajax?
Fine, I was going to use JSON in the end, either way, I've been experimenting with sending plain text to the server and then save that data to an SQL database.
Anyway, I'll try with JSON.
Anyway, I'll try with JSON.
Re: CORS Ajax?
Nostra... That's not really true at all.
A server can return any response to a request. An AJAX request is just the same as a HTTP request (well it IS a HTTP request) and so can give any response as long as the server dictates the correct mime type.
I'm not sure you're understanding what JSON is. It is not a language or a type of reply... it is simply a notation method. It is simply the act of writing your plain text response in JSON formatting so it can be parsed into a Javascript object.
I use CORS and I give a non-JSON response. I could give any response as long as I set the correct MIME type. There's no malicious activity going on and the browser knows that due to the server giving access to the referrer.
A server can return any response to a request. An AJAX request is just the same as a HTTP request (well it IS a HTTP request) and so can give any response as long as the server dictates the correct mime type.
I'm not sure you're understanding what JSON is. It is not a language or a type of reply... it is simply a notation method. It is simply the act of writing your plain text response in JSON formatting so it can be parsed into a Javascript object.
I use CORS and I give a non-JSON response. I could give any response as long as I set the correct MIME type. There's no malicious activity going on and the browser knows that due to the server giving access to the referrer.
LGforum- Hyperactive
- Posts : 2265
Reputation : 264
Language : English
Location : UK
Re: CORS Ajax?
Okay, thanks for clarifying this.
Even though my HTTP header is set correctly and my meta tag indicate that all content from my forum is allowed to access my site, I still get an error before sending data
Would you mind taking a look at it, LG?
Even though my HTTP header is set correctly and my meta tag indicate that all content from my forum is allowed to access my site, I still get an error before sending data
Would you mind taking a look at it, LG?
Re: CORS Ajax?
Make sure you're allowing GET requests.
For Avacweb I'd be setting these headers server-side:
There's no need to allow POST requests as you shouldn't use cross domain post requests just yet as even recent versions of IE have difficulties with it.
A good Javascript function for handling the request would be this:
Then you use it as such:
Hope that helps!
For Avacweb I'd be setting these headers server-side:
- Code:
header('Access-Control-Allow-Origin: http://www.avacweb.com');
header('Access-Control-Allow-Methods: GET');
There's no need to allow POST requests as you shouldn't use cross domain post requests just yet as even recent versions of IE have difficulties with it.
A good Javascript function for handling the request would be this:
- Code:
function cors_request(url, data, callback) {
if(data) url += (url.indexOf('?') === -1 ? '?' : '&') + data;
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
xhr.open('GET', url, true);
}
else if (typeof XDomainRequest != "undefined") {
xhr = new XDomainRequest;
xhr.open('GET', url);
}
else {
xhr = null; // decide what to do with browsers not supporting.
}
if (xhr) {
xhr.onload = function() { if(callback) callback.call(xhr, xhr.responseText); }
xhr.send();
}
};
Then you use it as such:
- Code:
cors_request('http://yourserver.com/yourphpfile.php', 'item1=value1&item2=value2', function(response) {
// the request has completed and replied. Now do something with our response.
alert(response);
});
Hope that helps!
LGforum- Hyperactive
- Posts : 2265
Reputation : 264
Language : English
Location : UK
Re: CORS Ajax?
Mmm, I'd rather have it post the data as anyone who can trace the .php file can add misc. get vars into the URL and save them on my database (that's what I am trying to do with the request - logging user activity in a certain forum only few people are actually permitted to see while admins aren't for the sake of fairness; it's not that I do not trust my fellow admins but I am quite paranoid, hahah...), but I will try either way.
Using document.getElementById('i_icon_mini_logout').getAttribute('alt').toString().slice(10,-2) seems like a good way to capture the username or is there another, shorter option?
Using document.getElementById('i_icon_mini_logout').getAttribute('alt').toString().slice(10,-2) seems like a good way to capture the username or is there another, shorter option?
Re: CORS Ajax?
Understandable, but the problem still remains with POST requests. Anyone can fake a post request or post data. Don't forget though the requests can only come from your domain, so people can't type things into the address bar, because then there is no referrer. Checking the $_SERVER['HTTP_REFERER'] value will help server side too. It can also be faked, but now your moving out of the knowledge of regular people.
You're options are:
- Validating the data that comes in... which is important anyway of course. But maybe making a list of the acceptable usernames that can be sent, and checking the sent username against that list.
- Encoding the sent data so people aren't really sure what data you're sending and will not know how or why to duplicate or fake a request.
- Checking the referrer is your forum.
- Maybe even dealing with unique ID numbers which only have a limited time on them.
A good way of grabbing the username is putting this in your site description:
When working with databases and server side though, you're better off working with the user ID.
You're options are:
- Validating the data that comes in... which is important anyway of course. But maybe making a list of the acceptable usernames that can be sent, and checking the sent username against that list.
- Encoding the sent data so people aren't really sure what data you're sending and will not know how or why to duplicate or fake a request.
- Checking the referrer is your forum.
- Maybe even dealing with unique ID numbers which only have a limited time on them.
A good way of grabbing the username is putting this in your site description:
- Code:
<script>var username = '{USERNAME*}';</script>
When working with databases and server side though, you're better off working with the user ID.
LGforum- Hyperactive
- Posts : 2265
Reputation : 264
Language : English
Location : UK
Re: CORS Ajax?
Here's a brilliant way of getting the User ID. It can be in a Javascript file right at the top so the user ID is available immeditately:
- Code:
var USER_ID = (function() {
var c = my_getcookie('fa_' + location.host.replace(/\./g, '_') + '_data');
if(c) {
c = c.split(':');
return parseInt( c[ c.length - 1 ].replace(/\D/g, '') );
}
return 0;
})();
LGforum- Hyperactive
- Posts : 2265
Reputation : 264
Language : English
Location : UK
Re: CORS Ajax?
Thank you for your valuable input!
I'll give this a shot the instant I'm on my PC again (which would be Saturday).
I'll give this a shot the instant I'm on my PC again (which would be Saturday).
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum