Userscript cross-origin request failing

Question

My AJAX function:

function ajaxQuery(url, method, param, async, onsuccess, onfailure) {
    var xmlHttpRequest = new XMLHttpRequest();
    var callback = function(r) { r.status==200 ? (typeof(onsuccess)=='function' && onsuccess(r)) : (typeof(onfailure)=='function' && onfailure(r)); };

    if(async) { xmlHttpRequest.onreadystatechange = function() { if(xmlHttpRequest.readyState==4) { callback(xmlHttpRequest); } } }
    xmlHttpRequest.open(method, url, async);
    xmlHttpRequest.setRequestHeader('X-REQUESTED-WITH', 'XMLHttpRequest');
    xmlHttpRequest.withCredentials = true;
    if(method == 'POST') { xmlHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); }
    xmlHttpRequest.send(param);
    if(!async) { callback(xmlHttpRequest); }
}

Function call:

ajaxQuery('http://example.net/index.php', 'GET', null, true, function(r) {
    tmp.innerHTML = r.responseText;
    nlt = [].map.call(tmp.querySelectorAll('.nlt'), function(x) { return x.textContent; });
});

Headers set in PHP:

header('Access-Control-Allow-Origin: https://example.com');
header('Access-Control-Allow-Origin: https://www.example.com');
header('Access-Control-Allow-Origin: http://example.net');
header('Access-Control-Allow-Methods: GET, OPTIONS');
header('Access-Control-Allow-Credentials: true');
if(!preg_match('%https?:\/\/(www\.)?example\.com%', $_SERVER['HTTP_REFERER']) && !preg_match('%https?:\/\/example\.net%', $_SERVER['HTTP_REFERER'])) { die('No way!'); }

I am calling the userscript from a page that uses https, and my domain uses http. When I try AJAX through http, I get (Firefox) Blocked loading mixed active content. If I switch the query URL to https, the error changes to Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource, even though my PHP script clearly allows for requests from the external site. What am I missing?

In this particular example, my site is "http://example.net" and the external site is "https://www.example.com"

does it work, when you use only `header('Access-Control-Allow-Origin: *');`? — spielerds, Jun 23 '18 at 06:59
@spielerds, no, it doesn't. Same `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource` error. — Pyromonk, Jun 23 '18 at 07:07
this is the whole error message? it should contain the domain too, which is blocked. does it? :) — spielerds, Jun 23 '18 at 07:10
@spielerds, the domain blocked is my personal domain ("http://example.net/index.php"). I am not disclosing the real one for anonymity purposes. — Pyromonk, Jun 23 '18 at 07:11
do you have access to the external site? can you change that external domain's CORS policy? — Inus Saha, Jun 23 '18 at 07:12
@InusSaha, I do not have administrative access to the external site, I cannot modify their policies. — Pyromonk, Jun 23 '18 at 07:14
look at this: https://stackoverflow.com/questions/23959912/ajax-cross-origin-request-blocked-the-same-origin-policy-disallows-reading-the You may need to try JSONP request — Inus Saha, Jun 23 '18 at 07:16
for JSONP request check: https://stackoverflow.com/a/22780569/4541018 — Inus Saha, Jun 23 '18 at 07:18
then you don't really need 3 lines of Access-Control-Allow-Origin. try leaving only the last one there.. as far as I know, not all browsers accept multiple Access-Control-Allow-Origin.. — spielerds, Jun 23 '18 at 07:26
@InusSaha, thank you, I've looked at those before asking my question, and they haven't helped me, unfortunately. — Pyromonk, Jun 23 '18 at 07:44
@spielerds, I've tried leaving them out, but the error would still kick in. My userscripts have worked with this exact same setup in the past, I'm thinking this is an http/https problem. — Pyromonk, Jun 23 '18 at 07:44

score 0 · Accepted Answer · answered Oct 30 '18 at 07:30

It is impossible to get an external resource through AJAX, JSONP or iFrames if the protocols don't match, at least in Firefox and Chromium, due to stupid "mixed content" restrictions. My website is running over http, and the website for which the userscript has been written has enforced https (meaning trying to request its pages through http automatically redirects to https, so I can't even work around the restriction by opting in for http).

score -1 · Answer 2 · answered Jun 23 '18 at 06:56

-1

The Access-Control-Allow-Origin header should be the same value as the Origin header as long as you want to allow it.

So. you want to multiple domains. I'm recommend you using 'regex'

answered Jun 23 '18 at 06:56

Hax0r

1,722
4
25
43

1

Can you explain that "regex" further? – Nico Haase Jun 23 '18 at 07:08
@NicoHaase, especially given I already use regular expressions for multiple domains... – Pyromonk Jun 25 '18 at 00:57

Userscript cross-origin request failing

2 Answers2