Cross-Domain Scripting Error using Angular and PHP on Openshift

Question

I've searched all over the web, found various answers in other stackoverflow threads, tried them ALL and couldn't get mine to work. Scenario:

Using angular at client side and using http-get requests
Using PHP at server side next to MySQL database running on Openshift host.

Angular code:

var app = angular.module("myapp", []).config(function ($httpProvider) {
//Enable cross domain calls
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
});

app.controller("Circle", function ($scope, $http)
{
    $scope.Bijstand = function (Verdiep) {
       $http.get(url + "?function=getMetingen&Verdieping="+Verdiep)
        .success(function (Result) {
            console.log(Result);
        });
    }
});

PHP code:

header("Access-Control-Allow-Origin: 'http://localhost:54700'")
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: GET, POST"); 
header("Access-Control-Allow-Headers: X-Requested-With");

$servername = getenv('OPENSHIFT_MYSQL_DB_HOST').":".getenv('OPENSHIFT_MYSQL_DB_PORT');
$username = getenv('OPENSHIFT_MYSQL_DB_USERNAME');
$password = getenv('OPENSHIFT_MYSQL_DB_PASSWORD');
$dbname = getenv('OPENSHIFT_GEAR_NAME');

// Create connection
$con = $con = mysql_connect($servername, $username, $password);
// Check connection
if (!$con) {
    die("Connection failed: " . mysql_error());
} 
mysql_select_db($dbname,$con);

when making the http-get request from angular to php I get the following error:

SEC7120 : Origin of 'http://localhost:54700' not found in Access -Control- Allow -Origin header .

SCRIPT7002 : XMLHttpRequest : Network error 0x80700013 , Can not complete this operation by mistake 80700013 .

SERVER ERROR - The server has detected an unexpected error that the request can not be completed.( XHR ) : GET - " getString "

I've seen various methods of trying to fix this and I have tried ALL of them and none work. Please help me debug this. FYI: I'm not concerned with security of the database or the data. The information stored is not sensitive at all so don't hold back on the "privacy" issues. Thanks

score 0 · Answer 1 · edited May 23 '17 at 12:15

0

This is probably not a complete answer, but the HTTP response can have only a single value for Access-Control-Allow-Origin.

For example, another SO Question discusses the problems when multiple ACAO fields are used.

Listing the values in a single field will not work either. The W3C Spec says:

Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".

Using '*' (asterisk) as the value, will not work always, see the W3C Spec for more details.

Thus, the only safe value to return is 'http://localhost:54700'.

Finally, Chrome has had issues with supporting CORS on localhost, see this Question for further details. This problem was still there a couple of months ago when I studied CORS the last time.

edited May 23 '17 at 12:15

Community

1
1

answered Dec 18 '15 at 22:03

masa

2,762
3
21
32

So changed it to one single ACAO command so it now looks like header("Access-Control-Allow-Origin: 'http://localhost:54700'"); But I'm still getting the same errors. For the record. I am running and debugging this in Microsoft Edge not chrome – Tom Kustermans Dec 19 '15 at 12:05
Could you add the HTTP messages (header fields) exchanged between the browser and the server to the question, so that we can see what is happening from the CORS point of view? – masa Dec 19 '15 at 13:04
do you mean the get-string I send to PHP ? And I'm not how to access CORS information. – Tom Kustermans Dec 21 '15 at 13:31
For example, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS, the listing below "full exchange between client and server". You can see this content in the browser console. – masa Dec 21 '15 at 13:39
Never really worked with CORS, so I'm not quite sure, but is this what you require? http://www.image-share.com/ipng-3125-32.html – Tom Kustermans Dec 21 '15 at 13:59
Sorry, I gave you some bad advice. CORS has three players: your application running on the browser, the browser itself and the server. It is the messaging between the latter two that is important, and I am not sure if one can see this messaging in current browsers properly. I use tools like Fiddler. I suggest that you read the document behind the link I provided. In principle, CORS is not that difficult: it involves only a couple of HTTP headers and messages. Then you should provide a copy of those relevant HTTP messages (the headers), between the server and the browser. – masa Dec 21 '15 at 17:07
so the image I linked doesn't provide enough information. If not I'll try and find out how to get you the appropriate information – Tom Kustermans Dec 21 '15 at 19:02
I've tried uploading my entire project to the ftp so now everything is running serverside as I understand it. No more local project just a URL to go to and when I try to do the GET request, there's no more ACAO-errors. All I'm getting is the "500 (Internal Server Error)". – Tom Kustermans Dec 21 '15 at 19:14

Cross-Domain Scripting Error using Angular and PHP on Openshift

1 Answers1