0

Please help... I am trying to the the token by i hit error

HTTP Method                     : POST
Production URL                  :  https://exampleRL/token
"Authorization" header value    :  Basic base64encode(Client_ID:Secret)
"Content-Type" header value     :  application/x-www-form-urlencoded
"grant_type" form data value    :  client_credentials

My javascript within the HTML code

var reqtoken = new XMLHttpRequest();
var urltoken = "https://exampleRL/token"


reqtoken.withCredentials = true;
reqtoken.open("POST", urltoken);
reqtoken.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
reqtoken.setRequestHeader("Authorization", "Basic " + loginDetails);

reqtoken.send(data);

Hitting Error :

Access to XMLHttpRequest at 'https://exampleRL/token' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Please help.. Dont understand whats wrong..

andrewJames
  • 19,570
  • 8
  • 19
  • 51
irene
  • 1
  • The error you provide is a CORS error. See this question for background: [How does Access-Control-Allow-Origin header work?](https://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work). – andrewJames Feb 14 '20 at 12:55
  • I saw that. But i stil dont understand how i can overcome this error. – irene Feb 14 '20 at 13:03
  • The way I have resolved this in the past is as follows (there may be other/better ways): The server which your app is trying to hit needs to implement some form of CORS whitelist. That is where allowed headers, methods, origins, etc. are defined. See [this question](https://stackoverflow.com/questions/16296145/set-cors-header-in-tomcat/18850438#18850438) for a discussion - the example is from Tomcat (the web.xml file is where the CORS config details can be added). This assumes you have access to that server - or know someone who does. – andrewJames Feb 14 '20 at 13:09
  • I can get the token and call the API via Postman with the correct credential and etc.. But why I call via browser, it hit error with the web? – irene Feb 14 '20 at 13:32
  • Why does it work in Postman but not in your app/browser? I am not very familiar with Postman, but have a look at this: [Postman is an app, not a browser](https://stackoverflow.com/questions/36250615/cors-with-postman). Same thing goes for tools such as `wget` and `cURL` - or something like a Python script which does not run in a browser - and where the concept of an _origin_ is not relevant, in the way it is relevant for browsers (and cross-site attacks). – andrewJames Feb 14 '20 at 18:22
  • One final note in case it helps: Your error message mentions a "null" origin, suggesting you are possibly running a web page that is in a file (so, the address bar in your browser begins with `file://...` as opposed to `http://...`). That is likely to also be blocked by default - see the notes discussing "null" [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin). CORS can be frustrating to navigate in some cases! – andrewJames Feb 14 '20 at 18:36

0 Answers0