No 'Access-Control-Allow-Origin' - CORS

Question

I try to fetch content via XMLHttpRequest:

var url = 'http://mapy.geoportal.gov.pl/wss/service/SLN/guest/sln/woj.json'

    if (XMLHttpRequest) {
    var request = new XMLHttpRequest();
    if ('withCredentials' in request) {
        request.open('GET', url, true);
        request.withCredentials = 'true';
        request.withCredentials = 'true';
        request.setRequestHeader('Access-Control-Allow-Origin', '*');
        request.send();
    }
}

I am getting next message:

XMLHttpRequest cannot load http://mapy.geoportal.gov.pl/wss/service/SLN/guest/sln/woj.json. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

How to fix this? I set Access-Control-Allow-Origin header to *

continu my problem with url : jsonp continue

Answer 1

You attaching Access-Control-Allow-Origin on frontend, but that header shall be added while handling requests on server side. Server should attach Access-Control-Allow-Origin, Access-Control-Request-Method headers to response that's permit performing requests for frontend.

My guess is that you cannot modify way the server handles requests and server doesn't support JSON Padding (JSONP), so you have to use JSON Proxy to fetch that json data ...

See How to add CORS support to server article and How does Access-Control-Allow-Origin header work? SO question to get more info regarding CORS.

Answer 2

CORS is browser only thing.

When you try to access some resource from current origin(current domain) to another domain, browser block this request.

Now the server or whatever that is you're hitting to get resource wants to whitelist your domain it can does so by adding some headers.