There is a small Firebug-esque program (written in Javascript) which is injected into a webpage which helps a user to check the DOM of that page and easily get attributes such as xpath of a particular element on that webpage.
In order to achieve some of its other functionality, as this Javascript is injected onto a webpage, it makes some HTTP requests to a couple of other Jetty Servers. I'm not exactly well versed in the exact architecture of these HTTP calls but when I look at the network requests on the developer console, the origin of these requests is the site on which the program is to be loaded. Example: If the user wants to inspect https://www.google.com the origin of the requests will be https://www.google.com
Now this program works perfectly on every other tested site except admin.booking.com. As I try to start the app on this site, I get the following error in the console:
Request header field: X-Booking-CSRF is not allowed by Access-Control-Allow-Headers in preflight request
When I look at the network requests in the console, there is the usual OPTIONS request sent and there is a x-booking-csrf token in the request header.
I am currently unable to share any code as its on my work machine and its currently the weekend but should be able to on Monday, if needed.
Any help would be greatly appreciated. Thanks.
NOTE: The program works as required on admin.booking.com when the google CORS plugin is enabled but this is not desirable as it works on every other site without the plugin enabled.
EDIT: I have to make this edit since apparently this question has been marked as duplicate. I must emphasize that this problem only occurs on the specified site. This error does NOT occur on any other site. And I have already visited probably every "Access-Control-Allow-Origin" question on StackOverflow and none of the fixes specified seems to help. I just need to know how to handle the X-Booking-CSRF token. Thanks.
``
