-1

Trying to make a cross origin call from one server to another server. Cant get it working. So made a test page with the code that works with this example http://arunranga.com/examples/access-control/preflightInvocation.html

Here is my example page with same code: http://webcosmo.com/test.html

However I am getting 403 forbidden error.

Anybody?

manik
  • 85
  • 1
  • 10
  • 1
    Which browser are you testing with? CORS isn't fully supported in IE<10, they either require a different xhr object or don't support it at all(IE6/7) – Kevin B Jan 28 '13 at 15:44
  • I haven't looked at your code, but do you use any special headers? You may need to serve (e.g., for the Authorization header) an `Access-Control-Request-Headers: Authorization` CORS header allowing the client to send non-standard headers. – apsillers Jan 28 '13 at 15:57

2 Answers2

3

Your resource is missing Access-Control-Allow-Origin header. Thus CORS won't work with it. Try adding this to your response headers:

Access-Control-Allow-Origin: *

Read this for more info about Access-Control-Allow-Origin header.

freakish
  • 54,167
  • 9
  • 132
  • 169
  • Thanks. I was missing on that. I need to have a response header Access-Control-Allow-Origin set to * or allowed domain back from server. – manik Jan 28 '13 at 16:33
  • FWIW, and then after verifying that it works with `*`, for security, replace `*` with the domains which are permitted to access the resource! For example http://stackoverflow.com/a/16267287/199364 – ToolmakerSteve Aug 02 '15 at 00:23
0

if you add Access-Control-Allow-Origin: * then your instruction withCredentials wont work. The best practice is to add direct origin from request. In PHP you can use $_SERVER['HTTP_ORIGIN'];

p.s. also you can compare origins with your trusted domains and give limited access.

Igor Bloom
  • 320
  • 3
  • 9