129

I'm running into a weird CORS issue right now.

Here's the error message:

XMLHttpRequest cannot load http://localhost:8666/routeREST/select?q=[...] 
Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin

Two servers:

  • localhost:8666/routeREST/ : this is a simple Python Bottle server.
  • localhost:8080/ : Python simpleHTTPserver where I run y Javascript application. This app is executing Ajax requests on the server above.

Any thought on what could be the problem?

EDIT:

And... the port was the problem. Thanks for your answers :)

If anyone is using a Python bottle server as well, you can follow the answer given on this post to solve the CORS issue: Bottle Py: Enabling CORS for jQuery AJAX requests

Community
  • 1
  • 1
Mr_Pouet
  • 4,061
  • 8
  • 36
  • 47
  • 16
    Since they are on different ports there are not the same! – some Nov 13 '13 at 23:41
  • The port numbers are different. This might violate Cross Origin rules. –  Nov 13 '13 at 23:41
  • 5
    Note that IE doesn't take port number into account. – Ray Nicholus Nov 14 '13 at 15:19
  • 1
    @some Most browsers also conclude they're not the same if one has a 'www' and the other doesn't. The devil's in the details. – Seldom 'Where's Monica' Needy Apr 19 '17 at 23:18
  • @SeldomNeedy example.com, www.example.com, www1.example.com, and mirror.www.example.com are all different domains. http://example.com, ftp://example.com, https://example.com, https://example.com:80443/ are all from different origins. – some Apr 24 '17 at 12:44
  • Some webbrowser allow it and others don't . Webbrowser seem to be stuck in the era of monoliths, while all back-ends are migrating to multi-server environments. All selfrespecting websites disable CORS to some degree. How else can you support http+https+websockets+www+loadbalancing+api-servers+... Some security settings are so extreme that everybody disables them and totally miss their point. – bvdb Jan 20 '21 at 23:57
  • @RayNicholus no, you are wrong. – Micha93 Feb 13 '21 at 20:52

2 Answers2

166

It is only considered to be the same if the protocol, host and port is the same: Same Origin Policy

If you want to enable it you must follow Cross-Origin Resource Sharing (cors) by adding headers. Mozilla has examples

You need to add Access-Control-Allow-Origin as a header in your response. To allow everyone (you should probably NOT do that): 

Access-Control-Allow-Origin: *

If you need to support multiple origins (for example both example.com and www.example.com), set the Access-Control-Allow-Origin in your reply to the value of the Origin-header from the request (after you verified that the Origin is white-listed.)

Also note that some requests send a preflight-request, with an OPTION-method, so if you write your own code you must handle those requests too. See Mozilla for examples.

some
  • 48,070
  • 14
  • 77
  • 93
  • 11
    This should be highlighted with red colour, capitals and bold *everywhere* where AJAX gets involved. – Zoltán Schmidt Aug 15 '16 at 20:32
  • 7
    As an addendum to this answer, note that `'Access-Control-Allow-Origin: https://example.com'` is ***NOT*** equivalent to `'Access-Control-Allow-Origin: https://www.example.com'`. If your site is accessible via both of those, you should have both in your response-headers. – Seldom 'Where's Monica' Needy Apr 19 '17 at 23:12
  • 1
    Note that no preflight requests are sent by default for simple requests like `GET`, `POST` and `HEAD`. See the [MDN article linked in the answer](https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS) for additional details. – Emile Bergeron Jan 22 '18 at 19:44
  • @SeldomNeedy you cant have duplicate headers – Mike Flynn Jan 05 '19 at 15:21
  • @MikeFlynn My wording was admittedly a touch loose, but I wasn't trying to suggest that; the server simply needs to be configured to send the appropriate header, per the request. – Seldom 'Where's Monica' Needy Jan 06 '19 at 21:07
43

The port numbers are different.

A request is considered cross-domain if any of the scheme, hostname, or port do not match.

jcarpenter2
  • 5,312
  • 4
  • 22
  • 49