Access Control Allow Origin - Not Working

Question

I have a PHP API that verifies the specified credentials. At the beginning of my PHP file I have this

header('Access-Control-Allow-Origin: http://example.org');
header('Access-Control-Max-Age: 3628800');
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
header('Content-type: application/json');

Although when I use my API (using AJAX) I get this error:

XMLHttpRequest cannot load http://api.example.com/?params=parameters+go+here. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.org' is therefore not allowed access.

NOTE: I have reason to believe that there is a flaw in the AJAX

$.ajax({
    url: 'http://api.example.com/?type=verify&username=' + username + '&password=' + password,
    dataType: 'json',
    success: function( result ) {
        success = result['success'];
        return success;
    }
});

Any help you could provide would be greatly appreciated.

Thanks, CSF

clearly your headers are **not** sent - verify in the browser **developer** tools network tab, see what response headers are actually sent — Jaromanda X, Apr 21 '17 at 05:08
@JaromandaX Thanks. Just checked the Developer Network tab I do not know how to see the headers though. — csf30816, Apr 21 '17 at 05:10
by clicking on the request (as I don't even know which browser you have, that's the best I can suggest) — Jaromanda X, Apr 21 '17 at 05:11
@JaromandaX Thanks. Just checked the headers (using Chrome) All the headers I put in the PHP show up. Any Idea what is going on? — csf30816, Apr 21 '17 at 05:15
weird, if chrome says `No 'Access-Control-Allow-Origin'` but there **is** a `'Access-Control-Allow-Origin'` - then chrome is lying to you!! — Jaromanda X, Apr 21 '17 at 05:16
Are there any errors in the server, like attempting to set headers after headers have already been sent? — Bernard, Apr 21 '17 at 05:21
@JaromandaX Maybe it is not something wrong in the PHP but the AJAX. I will update my question to include the AJAX. — csf30816, Apr 21 '17 at 05:21
@juria_roberts How would I find out if it is? If you mean 'Is Chrome saying the header is set?' than yes. But if not I do not understand the question. — csf30816, Apr 21 '17 at 05:26
sorry, i just looked at the error message. Looks like the origin is going to the server. — juria_roberts, Apr 21 '17 at 05:29
@Bernard Sorry, did not see your post until now. I do not think so since Chrome says they are set. But is there a way to check for header errors?? — csf30816, Apr 21 '17 at 05:39
I'm not too sure as I don't use PHP much, but I recall that if you enable displaying of errors, the page served by the PHP server will contain the error text. It should look something like [this question](http://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php). — Bernard, Apr 21 '17 at 05:46
Also, another possibility is that the page that is intended to be served by http://example.org is being served by http://localhost, http://127.0.0.1, or as a file:// request, and it doesn't match with the header returned by PHP. To check this, change your PHP to `header('Access-Control-Allow-Origin: *');` temporarily and see whether it works. — Bernard, Apr 21 '17 at 05:51
@Bernard Ah yes... The headers already sent error. I think my server does send those but I would need to test. — csf30816, Apr 21 '17 at 05:51
@Bernard that did not work. I tried it but it gave me the same error. — csf30816, Apr 21 '17 at 05:54

score 0 · Answer 1 · answered Apr 21 '17 at 05:39

0

Well, if you just want to test your code then download the "Allow-Control-Allow-Origin" extension Link ~ here but if you want it to work on every browser/client without any requirement of the extension.. then please refer here .. GOOD LUCK!

answered Apr 21 '17 at 05:39

Ankit Gupta

512
1
6
19

Is there a version of that using PHP? That would be great thanks. – csf30816 Apr 21 '17 at 05:44
refer to this - http://www.mjhall.org/php-cross-origin-resource-sharing/ – Ankit Gupta Apr 21 '17 at 05:57

score -2 · Accepted Answer · edited Mar 01 '18 at 04:25

-2

it's easy... if you use Chrome i suggest you that install Allow-Control-Allow-Origin: * Extension...

After Added to chrome, you just need to Enable/Disable cross-origin resource sharing toggle button...

https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?utm_source=chrome-app-launcher-info-dialog

edited Mar 01 '18 at 04:25

alessandrio

4,282
2
29
40

answered Apr 21 '17 at 05:40

Mahdi Malekian

83
6

Yes, but what I want is this to be a API accessible for anyone. – csf30816 Apr 21 '17 at 05:43
see [this link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Headers)... Access-Control-Allow-Headers does not allow * as accepted value... you should send the accepted headers (first X-Requested-With as the error says). – Mahdi Malekian Apr 21 '17 at 05:54
Thanks for the link – csf30816 Apr 21 '17 at 05:58
Although I did not find an answer there – csf30816 Apr 21 '17 at 06:03
see this...(http://stackoverflow.com/a/3829000/5768707) Questioner asserts that the problem is solved. – Mahdi Malekian Apr 21 '17 at 06:10
Hey! Thanks for that comment, testing it out now. – csf30816 Apr 21 '17 at 06:22

Access Control Allow Origin - Not Working

2 Answers2