0

I have a subdomain "x.domain.com" which then calls files from the static file subdomain "y.domain.com".

In my config file I have: 

require_once("/var/_BACKEND$/functions/cors.php");

This includes the file fine. The contents of "cors.php" is the code contained in the answer for this question: CORS with php headers (I have tried searching this problem!!)

In the bottom of the config file I also have the code:

if(!function_exists('cors')) die("err"); else cors();

Now for some reason, despite the code being exactly as it is above, and the file including fine, I am still receiving the following error from the Browser:

XMLHttpRequest cannot load http://y.domain.com/scripts/ajax.php. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://x.domain.com' is therefore not allowed access.

Using a header checker also brings the following results:

The 302 is intentional.

http headers

This all appears as it should

Community
  • 1
  • 1

2 Answers2

1

You can't do that.

Access-Control-Allow-Origin must be present on the actual resource that access is being allowed to, not just a redirect. (Otherwise, you could bypass security restrictions by sending this header on a redirect to anything you wanted!)

  • Sorry I should have been more clear. The 302 is only because specific parameters of the request (POST) were not met. Nothing to do with trying to pass on the origin access control header –  Dec 18 '14 at 21:44
  • Well, what are the headers on the resource you're redirecting to? Is ACAO set on that one? –  Dec 18 '14 at 22:17
0

Did you tried to use that by .htaccess ?

Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

Enable a2enmod headers

or modify your php script and replace * (asterisk) with x-requested-with

Carca
  • 564
  • 1
  • 6
  • 16