1

I am running some javascript in my web tool which is using ajax to retrieve some data but I always get 401 Unauthorised error. The server has disallowed cross-origin requests and I do not have access to the server. Now on chrome I can disable the web-security and it works fine. But I mainly need to accomplish this on RHEL5 I am running on my machine which has only Firefox since I am unable to install chrome.
I have tried disabling the security.fileuri.strict_origin_policy and also tried installing cors-everywhere extension. Nothing seems to work. If anyone has any experiece with this please help.

Mehul Agrawal
  • 59
  • 8
  • 2
    401 Unauthorised is normally unrelated to CORS. It's simply an authentication issue. The server could not verify your credentials (or, you didn't send any). If there was a CORS problem that could be fixed in the browser you wouldn't even get as far as getting a 401 - this implies you actually reached the server, it responded to the request (perhaps with suitable CORS headers - you can check in your browser's network tools) but issued an authentication error instead of returning the expected response. – ADyson Oct 17 '17 at 12:34
  • It _could_ be that the server has been (badly IMO) programmed to return this HTTP code if it thinks the request was cross-origin and made via ajax, but if that's the case then no amount of fiddling with the browser settings will make any difference because it's the server's logic which is doing that. But that would be quite an unusual, unconventional, and arguably incorrect implementation of CORS restrictions. If the server wants to disallow CORS it simply has to not return the necessary headers in the response. – ADyson Oct 17 '17 at 12:37
  • As I mentioned, disabling CORS policy in chrome results in code working fine. Additionally, it specifically gives me an error `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://sample-url. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).` I would also like to mention if I chang the dataType to jsonp I do receive the data but since the data received is in json format I get a syntax error – Mehul Agrawal Oct 17 '17 at 12:38
  • `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://sample-url. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)` is nothing to do with a 401 error. I can't see how you can be getting both of those at once? – ADyson Oct 17 '17 at 12:39
  • I just want to know that just like you can disable the web-security in chrome can this be done in firefox – Mehul Agrawal Oct 17 '17 at 12:39
  • Ok and I just want to know where the 401 comes into it? Is it actually relevant? You're not being very clear about what exactly is happening. Like I said before, if you got a 401, it implies you already got past the CORS restrictions. Please clarify exactly what happens and in what order. – ADyson Oct 17 '17 at 12:40
  • It's my company domain so I don't fully understand. I know that without CORS both 401 error and CORS error are resolved. So I'd like to disable the policy in firefox for testing in RHEL5 but am unable to figure out how. – Mehul Agrawal Oct 18 '17 at 03:25
  • a request is still cross-origin if it goes from one machine to another, even if they're on the same domain. It can even be considered cross-origin if it goes from one port to another on the same machine (effectively because it must be going from one installed website to another). So the fact it's your company domain I don't think is relevant. – ADyson Oct 18 '17 at 05:34
  • Anyway, we still need to be clearer. Set the scene...you installed cors-everywhere on your Firefox. Then you tried to access this site...but you still get `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://sample-url. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)` when you try to make the request? Or not? And at what point do you see the 401? After that? In a different request? I don't see how you could receive both simultaneously from the same request. As I asked before, please clarify in detail what is happening. – ADyson Oct 18 '17 at 05:36
  • Yes even after installing CORS everywhere I get the error. In the console correspoding to the request the 401 error is shown and below it the CORS error is shown in the same request. I think the server is designed to respond with the 401 html explictly. Through postman or in chrome with web-security disables the request works perfectly that is the reason for me to believe its actually a CORS issue – Mehul Agrawal Oct 18 '17 at 06:49
  • Hm. Well cors-everywhere is, online, the accepted solution for bypassing CORS restrictions in Firefox. So strange that it doesn't work. Have you definitely enabled it? According to https://addons.mozilla.org/en-Gb/firefox/addon/cors-everywhere/ it isn't switched on by default, just because it's installed. There's a bit more info here: https://github.com/spenibus/cors-everywhere-firefox-addon/blob/master/README.md including a test page you can download and run – ADyson Oct 18 '17 at 06:54
  • I don't think it actually works. There are many questions same as mine where people have tried all these extensions and they don't work for anyone. I think the extension just inserts a wildcard value to access header which only works when the server has just not mentioned any cors permissions. But if the server has explicitly put cors restriction then the wildcard value doesn't work which is my case. So my only option is to disable the cors policy in the browser. – Mehul Agrawal Oct 18 '17 at 11:13
  • "server has explicitly put cors restriction". Are you saying the server only accepts CORS requests from certain domains (via the allow-origin header)? That's the only _positive_ CORS restrictions which can be placed via the server. All other restrictions are negative (i.e. by simple omission of headers). But I'd have expected that cors-everywhere would intercept the response, overwrite that header with a * wildcard value and then return it to the page. Perhaps it doesn't. From googling I can't see any other way to disable CORS in Firefox config, sorry. – ADyson Oct 18 '17 at 11:23
  • I think the server does not accept requests from any domain but it's own. That is why even the * wildcard does not work. Anyways even I coul not find any solution that is why I posted a question. Tough times. – Mehul Agrawal Oct 18 '17 at 11:46
  • "server does not accept requests from any domain but it's own" - but surely that can't be true if it will work in Chrome, as you mentioned in the question? If the issue is specific to Firefox. Also `Reason: CORS header ‘Access-Control-Allow-Origin’ missing` in your error message indicates that the server isn't returning any kind of header that would restrict the domain. Can you show the actual response headers you're getting back please (i.e. just like the picture in this question - https://stackoverflow.com/questions/38237187/firefox-does-not-accept-access-control-allow-origin) – ADyson Oct 18 '17 at 13:00
  • One other thing though - The CORS standard says regarding the "Access-Control-Allow-Origin" header: _ "The string '*' cannot be used for a resource that supports credentials."_. Do you send credentials in your ajax request? That could be why cors-everywhere is failing - it may inject that header, but it's not valid for requests which require credentials. – ADyson Oct 18 '17 at 13:03
  • If by credentials you mean parameters then yes I do – Mehul Agrawal Oct 23 '17 at 10:36
  • credentials could mean username/password, or an access token or GUID, sent in the header often, depending what the server requires. "parameters" could mean any old data. I'm talking specifically about authentication credentials. e.g. see https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials – ADyson Oct 23 '17 at 11:05
  • In that case no, I'm not sending any credentials. I think even if I do, the server has no provision to accept the credentials. It has just blocked CORS requests. – Mehul Agrawal Oct 23 '17 at 12:11
  • the 401 challenge would suggest you ought to be sending some? That's what a 401 means - it's asking you to supply credentials to authenticate the request. – ADyson Oct 23 '17 at 12:29
  • Well then that is not possible because the server domain uses two factor authentication : username and password and then an OTP generated from Yubikey – Mehul Agrawal Oct 23 '17 at 12:53

0 Answers0