0

I get the following error from an ajax request in Firefox:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.example.org/php/save.php. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

I tried to find out why this is happening. It is strange since

  • the script works totally fine on my subdomain on the same server
  • the file accessed is on the same server

I also tried 

xhttp = new XMLHttpRequest({mozSystem: true});

as suggested here: https://stackoverflow.com/a/22392080

But that did not help either.

I am using the following command to open the request:

xhttp.open('POST', '/php/save.php', true);

I found a number of other solution for when the file is on another server:

<IfModule mod_headers.c>
  Header set Access-Control-Allow-Origin "*"
</IfModule>

But I don't see why I should do this if the file is actually on the same server...

Edit

I removed the following two lines from my .htaccess file and now it works.

RewriteCond     %{HTTP_HOST}    !^www\.example\.org$                        [NC] 
RewriteRule     .?              http://www.example.org%{REQUEST_URI}        [R=301,L]

Though I am not sure why... maybe the adding of www. works like moving to a subdomain?

What would I have to add to my .htaccess file to get it to work with ajax and the rewrite?

Community
  • 1
  • 1
Daniel
  • 3,383
  • 4
  • 30
  • 61
  • `How to fix Cross-Origin Request Blocked for ajax request (in Firefox)?` - for all browsers it's the same ... the server needs to allow CORS ... for POST requests, there's a preflight happening that has to be properly responded to by the server as well ... read some CORS documentation – Jaromanda X Jan 24 '17 at 08:05
  • what does it mean `on the same server`? – smnbbrv Jan 24 '17 at 08:05
  • CORS disallows any client AJAX making potentially harmful requests (think POSTs w/ malicious data such as "DROP TABLE" to be passed to the database) from any other domain than the origin of request unless the target allows it. – Joshua Jan 24 '17 at 08:07
  • @JaromandaX: I don't see why this is no problem then when the files are in another folder for the subdomain? – Daniel Jan 24 '17 at 08:08
  • You can try http://www.ajax-cross-origin.com/. – Ataur Rahman Munna Jan 24 '17 at 08:08
  • @AtaurRahmanMunna Thanks. But I am not using jQuery. – Daniel Jan 24 '17 at 08:09
  • you should read this @Daniel. http://stackoverflow.com/questions/9310112/why-am-i-seeing-an-origin-is-not-allowed-by-access-control-allow-origin-error/9311585#9311585 – Ataur Rahman Munna Jan 24 '17 at 08:09
  • @smnbbrv Well, everything is in the same folder on the server (in different subfolders though). – Daniel Jan 24 '17 at 08:10
  • 1
    @Daniel - neither do I as I have no access to your server to check what headers it's issuing under every circumstance - subdomains can be made to behave using other methods, but again, I can't see all your code so I guess you'll have to do some research and debugging – Jaromanda X Jan 24 '17 at 08:10
  • @Daniel I don't ask where the files are located, but I ask how you are accessing them. Please give the url which is displayed in your browser address bar and the URL of the script / whatever you trying to access with `XMLHttpRequest` – smnbbrv Jan 24 '17 at 08:12
  • @smnbbrv I don't have it up right now since it was unusable. A difference to the subdomain is the `.htaccess` file I am using. Maybe that helps if I post that here? – Daniel Jan 24 '17 at 08:19
  • @Daniel no, you ask a question exactly about the URL and the domain specifically and you do not provide URLs. How am I supposed to answer? – smnbbrv Jan 24 '17 at 08:20
  • @smnbbrv What would you be looking for? Maybe I can give the information in another way? – Daniel Jan 24 '17 at 08:28
  • @AtaurRahmanMunna Unfortunately I am in EX 4. So it should work, right? – Daniel Jan 24 '17 at 08:30
  • @Daniel I think you have different subdomains or ports and assuming it to be the same server. E.g. `abc.def.com` and `def.com` are different domains for browsers. `def.com:80` and `def.com:8080` are different domains as well. Even if they are on the same machine and even in the same folder it does not matter because for the browser they are on different domains – smnbbrv Jan 24 '17 at 08:32
  • @smnbbrv No this is not the case. But could it be that my rewrite rules in the `.htaccess` file, like adding `www.` if it is missing, are causing this? – Daniel Jan 24 '17 at 08:35
  • @Daniel .htaccess file cannot do that, but adding www exactly means that page is on `www.example.com`, and the resource is on `example.com` (and you add www to it while rewriting) => different domains. This is exactly what I am talking about – smnbbrv Jan 24 '17 at 08:39
  • @smnbbrv Well then the `.htaccess` file is exactly doing that. Anyway, what will I have to do when there is such a rewrite? – Daniel Jan 24 '17 at 08:56
  • @JaromandaX I have done some research and debugging and figured out the lines in my `.htaccess` that caused this. Maybe you have an idea how to get it to work? – Daniel Jan 24 '17 at 09:22

2 Answers2

1

This is what solved my problem - though I am not sure why. Instead of the rewrite I used before I use:

RewriteCond %{HTTP_HOST} !^www\.example\.org$ [NC]
RewriteRule ^(.*)$ http://www.example.org/$1 [R=301,L]
Daniel
  • 3,383
  • 4
  • 30
  • 61
0

For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest and Fetch follow the same-origin policy. So, a web application using XMLHttpRequest or Fetch could only make HTTP requests to its own domain.

To enable your request across different domain you could:

  • Enable cross-origin resource sharing (recommended)

CORS is a standard mechanism that can be used by all browsers for implementing cross-domain requests. You specify a set of headers that allow the browser and server to communicate.

Useful resource: http://enable-cors.org/

  • Use a reverse proxy.

  • Use JSONP (works only if you need to read data).

More infos: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

GibboK
  • 71,848
  • 143
  • 435
  • 658
  • Thanks. But the problem is that I am not requesting material from another domain. So I don't see how this is applicable. – Daniel Jan 24 '17 at 08:32