0

Although I am passing header Access-Control-Allow-Origin in the request like this:

$http({     method: 'GET',
            url:$APIs_server + "api/get-all-notifications",
            headers: {
                'Access-Control-Allow-Headers': 'Content-Type',
                'Access-Control-Allow-Origin':'*',
                'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
                'Authorization': JWT_token
            }
        }).success(function (response) {
            //console.log("response.data: ", response.data);
            if (response.data != undefined)
                $scope.populate_notifications(response.data);

        });

I got an error No 'Access-Control-Allow-Origin' header is present on the requested resource, here is the full error:

XMLHttpRequest cannot load http://localhost:9902/api/get-all-notifications. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8000' is therefore not allowed access. The response had HTTP status code 405.

Please advice if someone can explain?

Kevin B
  • 94,570
  • 16
  • 163
  • 180
simo
  • 23,342
  • 38
  • 121
  • 218
  • Because it's not a client side issue – Alon Eitan Jan 31 '17 at 16:39
  • Do I have to explicitly allow all origins on the server? , I am not doing any thing special – simo Jan 31 '17 at 16:43
  • 1
    Yes. It would be completely useless as a security measure if the client-side code could just decide whether to allow cross-origin requests or not. – JJJ Jan 31 '17 at 16:43
  • @simo Your server is on different port => Not the same origin as the client – Alon Eitan Jan 31 '17 at 16:45
  • You can specify your allowed origin from the server so that your access is not open to every client but yours. – lenilsondc Jan 31 '17 at 16:47
  • I've implemented a middleware to accept origins from any website for testing but it seems that it's not working – simo Jan 31 '17 at 16:59
  • @Aron do server and client have to be on same port? – simo Jan 31 '17 at 17:01
  • [You betcha](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) - _Two pages have the same origin if the protocol, __port (if one is specified)__, and host are the same for both pages_ – Alon Eitan Jan 31 '17 at 17:05

0 Answers0