0

I'm trying to get informations from a SystemLinkServlet.

So I tried to execute this JavaScript code from a Nintex Forms (Sharepoint) :

var http = new XMLHttpRequest();
var url = 'www.exampleservlet.com';
var params = "anyxml" 

http.open('POST', url, true)

http.setRequestHeader('Content-type', 'application/xml');
http.setRequestHeader('Access-Control-Allow-Origin', '*');

http.onreadystatechange = function() {
    if(http.readyState == 4 && http.status == 200) {
        alert(http.responseText);
    }
};

http.send(params);

But I still got this error in my console :

Access to XMLHttpRequest at 'www.exampleservlet.com' from origin 'www.exampleorigin.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

It seems that the header is ignored or maybe I can't set multiple request headers?

It works on Postman.

Update

So It worked with an extension but apparently, I can't set headers with JavaScript code in my Nintex Forms.

I'm trying to find to pass those headers without using an extension.

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Louis Chopard
  • 334
  • 1
  • 11
  • Does this answer your question? [Response to preflight request doesn't pass access control check](https://stackoverflow.com/questions/35588699/response-to-preflight-request-doesnt-pass-access-control-check) – Nakarukatoshi Uzumaki Sep 24 '21 at 07:48
  • Are you setting the CORS headers in the request?!?!?! This is not how this works; CORS is meant to *protect* a server resource from a certain kind of access, if the client was allowed to set the headers it would totally defeat its purpose. There are lots of resources in the web about what is CORS, it's better to start from there. – Nikos Paraskevopoulos Sep 27 '21 at 14:47

2 Answers2

0

If you are using PHP, try adding the following code at the beginning of the php file:

If you are using localhost, try this:

header("Access-Control-Allow-Origin: *");

If you are using external domains such as server, try this:

header("Access-Control-Allow-Origin: http://www.webiste.com");

Also you I suggest you to use this extension:

https://chrome.google.com/webstore/detail/cors-unblock/lfhmikememgdcahcdlaciloancbhjino?hl=en
Adrian Biba
  • 167
  • 8
  • I used the extension and now I have this : `Request header field access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response` – Louis Chopard Sep 24 '21 at 08:09
  • @LouisChopard did you activate the extension ? – Adrian Biba Sep 24 '21 at 08:16
  • Yes I did. The error changed when I activate it (the new one is my first comment) – Louis Chopard Sep 24 '21 at 08:20
  • hope this article will help you: https://stackoverflow.com/questions/32500073/request-header-field-access-control-allow-headers-is-not-allowed-by-itself-in-pr – Adrian Biba Sep 24 '21 at 08:28
  • It worked, I add to enable Access-Control-Headers in the extension. But now, I have an other problem, I edited my question if you wanna see! I'll find a way fix it – Louis Chopard Sep 24 '21 at 08:38
  • @LouisChopard you have to configure the server with the code : header("Access-Control-Allow-Origin: *") this will allow for all websites to access the content or if you want only one domain to access you can use this: header("Access-Control-Allow-Origin: http://www.webiste.com"); – Adrian Biba Sep 24 '21 at 08:54
  • But, the request works when I call it with a Nintex Web Request workflow actions. So the domain is already allowed I think? It's when I called it from a personalize request in the Nintex forms parameters that I have this problem. But both have the same source url – Louis Chopard Sep 24 '21 at 09:00
  • I don't think you can fix this error from front-end ajax, I already fixed this issue on one of my server it's all about server configuration – Adrian Biba Sep 24 '21 at 09:05
  • Ok! Thank you for your help, I'll try to see what I can change in the server configuration – Louis Chopard Sep 24 '21 at 09:09
0

Postman or other similar tools provide you development environments. In this way, you can ignore and pass CORS rule while sending request and getting response by changing tool settings. But if you sending request via browser(chrome, firefox etc.), browsers always add some preflight controls.

For example, browser send options message to get server side rule before your http request. So that invalid or wrong requests are blocked by browser before processing your http request.

In your case, server side must include your domain information. You can not change this communication rule from client side by adding just "Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: http://www.webiste.com" statements.

ultdevchar
  • 132
  • 4