I am getting the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://www.icims.com/bellworks. (Reason: CORS
preflight channel did not succeed).
Despite the fact that accessing the URL directly gives the following
in the header:
Access-Control-Allow-Origin: *
Where do you see that? I don’t see any Access-Control-Allow-Origin response header at all in responses from https://www.icims.com/bellworks—not in browser devtools nor, e.g., curl:
$ curl -i -H "Origin: http://example.com" https://www.icims.com/bellworks
HTTP/1.1 200 OK
Age: 141
Cache-Control: public, max-age=1800
Content-Type: application/javascript; charset=utf-8
Date: Tue, 09 May 2017 10:17:38 GMT
Etag: "1494323930-1"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 09 May 2017 09:58:50 GMT
Server: nginx
Vary: Cookie,Accept-Encoding
Via: 1.1 varnish
X-AH-Environment: prod
X-Cache: HIT
X-Cache-Hits: 2
X-Content-Type-Options: nosniff
X-Drupal-Cache: HIT
X-Request-ID: v-66496654-34a0-11e7-ba07-22000a2c8dd2
X-Varnish: 2264707046 2264675783
Content-Length: 6443
Connection: keep-alive
In simple cases like this, if 1) you don’t control the server you want to get data from in your frontend JS code, and 2) that server doesn’t send Access-Control-Allow-Origin in its responses, you can change your frontend code to instead make the request through an open CORS proxy:
$.ajax({
url: "https://cors-anywhere.herokuapp.com/https://www.icims.com/bellworks",
…
});
That’ll cause the request to be made to https://cors-anywhere.herokuapp.com, a proxy which will then send it to https://www.icims.com/bellworks. And when that proxy gets the response, it’ll take it and add the Access-Control-Allow-Origin response header to it and then pass that back to your requesting frontend code as the response.
That response with the Access-Control-Allow-Origin response header is what the browser sees, so the error message the browser engine is showing you now goes away, and the browser allows your frontend JavaScript code to access the response.
Or use the code from https://github.com/Rob--W/cors-anywhere/ or such to set up your own proxy.
What are these CORS plugins doing that I’m not?
What they’re differently is, they’re just not being blocked by the browser. Plugins can do anything they want—which includes bypassing the cross-origin restrictions that browser impose on frontend JavaScript code in web apps the browser executes the code from.
Browser devtools are also unaffected by cross-origin restrictions—if you use devtools to examine the request you’re getting that Cross-Origin Request Blocked message for, you’ll notice that you can actually see the response in devtools. But that doesn’t mean the browser will necessarily expose the response to your frontend JavaScript code. The browser will only let your frontend JavaScript code access it if the response includes the Access-Control-Allow-Origin header.
Clearly, this is something I need to add to the client-side of the origin, correct?
No. There’s nothing you do from the client side which will change the fact that if your frontend JS code makes a cross-origin request and the response doesn’t include the Access-Control-Allow-Origin header, your browser will block your code from accessing the response. Period.
That is, I need to make changes to me AJAX request.
No, for the reason given above.
I do not need to make any changes to the responding server.
You do need to change the responding server to send the Access-Control-Allow-Origin header. Either that, or as explained above, you need to send the request through a proxy that will add the Access-Control-Allow-Origin header to the response the browser sees.
What do I need to add in my request to correct this issue?
If you don’t control the server the request is being made to, really your only choice is to change your code to instead make the request through a proxy that adds Access-Control-Allow-Origin.
