2

Hy,

I've this error when I do a request ajax to another domain:

XMLHttpRequest cannot load http://rec.something.fr/services/data.
The 'Access-Control-Allow-Origin' header contains the invalid value '*.something.fr'.
Origin 'http://local.something.fr' is therefore not allowed access

I don't understand if the 'Access-Control-Allow-Origin' header can use or not a regexp expression. Some sources said it can, other said it cannot.

The big issue is that it's another society who is in charge of the http://rec.something.fr. Before I call them, I want to be sure that the issue is on their server, and not that's something on my code who is missing.

my code:(Origin = http://local.something.fr)

$.ajax({
        url: "http://rec.something.fr/services/data",
        crossDomain: true,
        dataType: "json" })

the content of the called Services is a Json:

[{data:myData}]

If I use the CORS chrome plugin who catch the response and replace Access-Control-Allow-Origin: *.something.fr by Access-Control-Allow-Origin: *, It will work.

I cannot use JSONP because this would require updating the rec.something.fr server

Any Idea?

sab
  • 4,352
  • 7
  • 36
  • 60

1 Answers1

2

Access-Control-Allow-Origin values can’t be regular expressions or any other kind of pattern. They must either exactly match the request Origin header, or be null, or be a single literal *.

See also the accepted answer to the question Access-Control-Allow-Origin wildcard subdomains, ports and protocols and the first comment for the question Using a regular expression with CORS.

So there’s no fix you can make on your side to work around this. The http://rec.something.fr maintainers just need to fix the broken Access-Control-Allow-Origin header they’re sending.

I don't understand if the 'Access-Control-Allow-Origin' header can use or not a regexp expression. Some sources said it can, other said it cannot.

It definitely cannot. The current authoritative source for the Access-Control-Allow-Origin valid syntax is the ABNF production for it in the “HTTP new-header syntax” section of the Fetch spec:

Access-Control-Allow-Origin      = origin-or-null / "*"

For a good secondary source, see the “Handling a simple request” section of the Using CORS article at HTML5 Rocks, which states it this way:

The value of the header can either echo the Origin request header, or be a '*' to allow requests from any origin.

So if you want to try to help the http://rec.something.fr maintainers correct their server config, you can suggest to them that they should change the code in their server logic to do the following:

  • for requests from origins matching *.something.fr, send Access-Control-Allow-Origin back with a value that’s exactly the same as the value of the request Origin header
  • otherwise, for requests from origins that do not match *.something.fr, then just don’t send back Access-Control-Allow-Origin at all
Community
  • 1
  • 1
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
  • Thank you very much, do you know how I can do to allow two diferent Origin (http://local.something.fr and http://local2.something.fr') without using * ? – sab Feb 10 '16 at 16:29
  • To allow two different origins `local.something.fr` and `local2.something.fr`, something like (pseudocode) `if (origin == "local.something.fr" or origin == "local2.something.fr") { header "Access-Control-Allow-Origin" = origin }`. The real code that would be needed depends on what the actual web-server software is and what mechanisms it provides for setting headers conditionally. – sideshowbarker Feb 10 '16 at 16:40