-1

I have a the third party service seal (that shows business verification details) to add on website. They gave iframe / javascript code to embed on website. That embed code is checking referrer before showing the seal. So if the seal is hosted on the domain the seal is registered for it shows the seal, if the seal is hosted on another domain it shows the error that this domain is not allowed to show the seal.

When I add the same seal on domainB.com , it shows an error message that it is not allowed. I want to use the same javascript embed code of the seal on domainB.com

What I did is I uploaded the seal script on domainA.com , and use a PHP / Jquery Ajax script to load the script on domainB.com but it still showed the same error message to me.

This is the script I used on domainB.com

 $.post("https://domainA.com/test.php",
    { "post_parameter" : "post_value" },
    function(data){              
      // put the result into a div
      $('#result').html(data);
    }
  );

I was wondering if there is a way I can send a request from domainB.com which passes domain name as domainA.com and that script will not find that the request has been made from domainB.com?

I own both domains domainA.com and domainB.com, the reason I need to use the same seal on domainB.com is both domains are for the same business.

user3550203
  • 699
  • 1
  • 7
  • 15
  • 1
    CORS restrictions prevent the browser from using POST on other domains. You'll need to add an `Access-Control-Allow-Origin: https://domainB.com` header in the domainA response (and probably an OPTIONS response because the browser might might try to call that before calling the POST). – solarc Aug 28 '19 at 14:42
  • If you own DomainA, then add CORS headers to the response. If that's not the case, then what you're trying to do will not be possible through client-side JS alone – Rory McCrossan Aug 28 '19 at 14:44
  • You could try making the request server side. Depending on domainA's configuration you might be able to get away with that. – richbai90 Aug 28 '19 at 14:45
  • I own domainA.com , I already allowed CORS header to accept request from domainB.com. The script is loading fine, but its now allowing to display the seal , getting the same error from 3rd party seal script if I add the script directly to dimainB.com – user3550203 Aug 28 '19 at 14:47
  • @RoryMcCrossan its not CORS issue, the post that your tagged as duplicate is the issue with CORS. – user3550203 Aug 28 '19 at 14:49
  • From the description in the question, it very much appears to be. Can you check the console after making the request and edit the question to include the error you see – Rory McCrossan Aug 28 '19 at 14:51
  • Also, what 'seal' are you referring to. If it calls a third party service with the current domain, then it would appear to be domainB on their end, meaning if they validate domainA, you won't get the 'seal' – Rory McCrossan Aug 28 '19 at 14:52
  • @RoryMcCrossan — From the description, it sounds like a third party service is checking the referer before responding to the request. – Quentin Aug 28 '19 at 14:57
  • @Quentin this is 100% correct. The third party service seal is checking referrer before showing the seal. So if the seal is hosted on the domain the seal is registered for it shows the seal, if the seal is hosted on another domain it shows the error that this domain is not allowed to show the seal. – user3550203 Aug 28 '19 at 16:21

1 Answers1

0

If you are using localhost, try this:


header("Access-Control-Allow-Origin: *");

If you are using external domains such as server, try this:


header("Access-Control-Allow-Origin: http://www.website.com")
dılo sürücü
  • 3,821
  • 1
  • 26
  • 28