JavaScript: CORS header 'Access-Control-Allow-Origin' missing

Question

The following code does not work on Microsoft Edge. What can I do that it works?

Error:

Cross-Origin Request Blocked: The same-source rule prohibits reading the external resource at https: //spp-0006.int.kaufland/sites/topic-0193/Shared%20Documents/Files/XML_MarketList.xml. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

var xhr = new XMLHttpRequest();

xhr.open('GET', 'https://spp-0006.int.kaufland/sites/topic-0193/Shared%20Documents/Dateien/XML_Marktliste.xml', false);
xhr.send();

Does it work in other browsers? Or is that URL not CORS-enabled at all? — misorude, Jan 09 '19 at 12:01
Only in Edge? Or in other browsers as well? Because CORS is a general security feature. This should happen everywhere, by design. — Jeremy Thille, Jan 09 '19 at 12:02
Same in Firefox - generally unless website allows cross-origin requests to this resource, you can't do it with regular request, unless it's an opaque request using fetch with mode no-cors. — Zydnar, Jan 09 '19 at 12:03
Yeah, this won't work on **all browsers** if CORS is implemented. Nothing specifically to do with Edge. — Liam, Jan 09 '19 at 12:04
Possible duplicate of [How does Access-Control-Allow-Origin header work?](https://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work) — Liam, Jan 09 '19 at 12:04
Please don't ask the [same question multiple times](https://stackoverflow.com/questions/54089962/javascript-xmlhttprequest-does-not-work-on-ms-edge) — Liam, Jan 09 '19 at 12:05
Because IE is flawed :) It shouldn't work because this is a security measure — Jeremy Thille, Jan 09 '19 at 12:55
As the error message said, the request missing the CORS header, you could [use the Network tool in F12 developer tools](https://learn.microsoft.com/zh-cn/previous-versions/windows/internet-explorer/ie-developer/samples/dn255004(v%3dvs.85)) to check the request/response header. Then, refer to [this article](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) to learn more about CORS and add the CORS header. — Zhi Lv, Jan 10 '19 at 09:37

score 0 · Answer 1 · answered Jan 09 '19 at 12:08

0

Your server must return some Access-Control-Allow-Origin header, where is indicated website addresses for whitch is allowed to get content from server.

This example will allow to get content from server for any website

Access-Control-Allow-Origin: *

This example will allow to get content from server only for your-site.com

Access-Control-Allow-Origin: your-site.com

And you have to note, this will not make you more secure, but you must do that, if you want to make xhr request from one domain to another.

answered Jan 09 '19 at 12:08

Profesor08

1,181
1
13
20

I cant do anything on the server. I have written a JavaScript program which is local on my pc and I need access to XML_Marktliste.xml which is located on a server. – MarkusS Jan 17 '19 at 08:38
Then forget to use your program in browser. Use `node program.js` – Profesor08 Jan 17 '19 at 11:19
it is posible in any environment, in which you can ignore cors. – Profesor08 Jan 17 '19 at 17:13

JavaScript: CORS header 'Access-Control-Allow-Origin' missing

1 Answers1