17

I've followed the following steps:

  1. Get the server to allow cross domain calls (with all the headers and stuff) This works
  2. Test the server with some cross domain calls This works
  3. Get the server to force a certificate This works
  4. Go to a file on the server with a browser, choose the right certificate and see the file Still works
    Now we get to the nice part
  5. Combine the cross domain calls with the certificate <-- this does not work

Problem

I am getting the certificate request from the browser, but when I select the same certificate as I do when using the browser, the call is made but I get a 403 Forbidden.

Code 

$.ajax({
     type: "POST",
     xhrFields: {withCredentials: true},
     dataType: "xml",
     contentType: "text/xml; charset=\"utf-8\"",
     url: "https://www.myOtherServer.com/testfile.asp",
});

Any ideas?

Edit

The Access-Control-Allow-Credentials: true and the Access-Control-Allow-Origin are properly configured.

Additional information

I'm starting to think that it has something to do with the content type. When I change it to "text/html" I get a 415 error, but I do really need to send xml because it is a SOAP server.

Response headers 

Access-Control-Allow-Cred...    true
Access-Control-Allow-Head...    Content-Type, Origin, Man, Messagetype, Soapaction, X-Test-Header
Access-Control-Allow-Meth...    GET,POST,HEAD,DELETE,PUT,OPTIONS
Access-Control-Allow-Orig...    https://www.mywebsite.com
Access-Control-Max-Age  1800
Cache-Control   private
Content-Length  5561
Content-Type    text/html; charset=utf-8
Date    Wed, 19 Dec 2012 15:06:46 GMT
Server  Microsoft-IIS/7.5
X-Powered-By    ASP.NET

Request headers

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language nl,en-us;q=0.7,en;q=0.3
Access-Control-Request-He...    content-type
Access-Control-Request-Me...    POST
Cache-Control   no-cache
Connection  keep-alive
Host    myhoast.com
Origin  https://www.mywebsite.com
Pragma  no-cache
User-Agent  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Rick Hoving
  • 3,585
  • 3
  • 29
  • 49

2 Answers2

10

My best guess is that this is a problem not with your Javascript but with your CORS configuration. Did you set up your server with the Access-Control-Allow-Credentials: true header? http://www.w3.org/TR/cors/#access-control-allow-credentials-response-header

Also note that, even when the allow-credentials header is set, the browser will not allow responses to credentialed requests if Access-Control-Allow-Origin is *, according to these docs: https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Requests_with_credentials.

Edit: Since the OP has the CORS headers set up properly, the problem seems to be that the server is rejecting OPTIONS requests with a 403 status code. OPTIONS requests (known as the "preflight request") are sent before certain cross-domain requests (such as POSTs with application/xml content types), to allow the server to notify the browser of what types of requests are allowed. Since the browser doesn't see the 200 response that it expects from the OPTIONS request, it doesn't fire the actual POST request.

Emily
  • 5,869
  • 1
  • 22
  • 15
  • I edited my question, these headers are correct. Any other ideas? – Rick Hoving Dec 19 '12 at 15:03
  • Hmm. Can you post the actual headers that you see on the requests and responses? (You can see these e.g. in Chrome dev tools.) You should be seeing an OPTIONS request with a response that contains `Access-Control-Allow-Origin: http://yourdomain.com`, `Access-Control-Allow-Methods: POST, OPTIONS` and `Access-Control-Allow-Credentials: true`. When you change the content type, it becomes a simple (not pre-flighted) request, so the server might not be responding properly to OPTIONS requests? – Emily Dec 19 '12 at 15:07
  • I added the request and response headers to my question, I am currently looking into the OPTIONS request, thanks for pointing me into this direction – Rick Hoving Dec 19 '12 at 15:11
  • What I find odd about the problem with the OPTIONS request is that I get a 403 forbidden not a 405 method not allowed (which you would expect if you're not able to do an OPTIONS request) – Rick Hoving Dec 19 '12 at 15:20
  • The 403 is the response to the OPTIONS request, or the response to the actual POST request? – Emily Dec 19 '12 at 15:28
  • By the way it would be really helpful to see the full exchange e.g. along the lines of http://goo.gl/L8cVE where it says "Let's take a look at the full exchange between client and server", as well as the server stack and browser you're using. I'm having a hard time getting the full picture of what's going on. – Emily Dec 19 '12 at 15:29
  • http://stackoverflow.com/questions/6656354/why-are-options-requests-not-arriving-in-my-asp-net-application -- This person also was getting a 403 for OPTIONS requests. – Emily Dec 19 '12 at 15:45
  • Thanks so much for your help Emily, I've narrowed it down to the exact problem, no solution yet but I'm in the right direction. I'll make another question about this, because this one is off topic. If you could summarize your answer in a new one (saying something about the server actively rejecting the preflight request) Ill gladly accept it. – Rick Hoving Dec 19 '12 at 16:09
  • Ok, sounds good; I edited this answer to include the new info. Thanks! – Emily Dec 19 '12 at 16:42
  • 2
    Note to future readers: the OP didn't specify what kind of server backend was in use, but several sources say that Tomcat specifically has a default OPTIONS handler that will return a 403 if you don't manually override it. Be aware! – Coderer Jul 29 '13 at 11:03
1

basicly we just have to write on htaccess

Header set Access-Control-Allow-Origin “*”

but when we need cookie etc, we had to add script on your ajax code and htaccess

i write about cross domain XHR on my blog, blog.imammubin.com/cross-domain-xhr/2014/05/28/ (Edit: site no longer exists)

hope this help..

OldBuildingAndLoan
  • 2,801
  • 4
  • 32
  • 40
Imam Mubin
  • 294
  • 2
  • 10