0

I have an ajax request which connects to http://example.com:6001.

However, it will work only when I open http://example.com:6001 in the browser, which loads index.html (which is run though Node.js on port 6001). This works fine and ajax returns:

XHR finished loading: http://example.com:6001/_api/

However, when I open index.html from my Apache server on :80, the ajax call will return:

XMLHttpRequest cannot load http://example.com/_api/?xxx. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://example.com' is therefore not allowed access.

I’m not sure whether this error is returned by CouchDB or by Apache.

I’ve tried some variations of the following in /etc/apache2/sites-available/000-default.conf of Apache:

<VirtualHost *:6001>
        Header set Access-Control-Allow-Origin *
        Header set Access-Control-Allow-Credentials "false"
</VirtualHost>

And in /etc/couchdb/local.ini of Couch DB (from the Cross-Origin Resource Sharing documentation):

[httpd]
enable_cors = true

[cors]
origins = *
credentials = false

The last one makes the most sense because it seems to point out the credentials flag..

It shouldn’t be script as well, because it works within the same “port-domain” (i.e., :6001).

Castaglia
  • 3,349
  • 3
  • 21
  • 42
TrySpace
  • 101
  • 1
  • 4

2 Answers2

1

This error is returned by your browser.

Basically means you just can't do that.

CORS related headers should not be set in Apache (in your case)

Generate that in your NodeJS application with specified domain:port, not wildcard.

Here's a similar case you may want to have a look

I don't know NodeJS. In php you can use

header("Access-Control-Allow-Origin: ".$_SERVER['HTTP_ORIGIN']);

to simulate wildcard.

Shiji.J
  • 186
  • 9
  • 1
    To add to this answer, the request header you are looking for is "Origin", which you can get with req.headers["Origin"]. in your node application you may query this request header, and see if the host in there is valid, then return it. with a response header "Access-Control-Allow-Origin: " + req.headers["Origin"] – Flash Apr 01 '18 at 23:59
0

Paragraph 6.1.3 "Simple Origin Request, Actual Request, and Redirects" does not allow the resource server respond with a wild card permission when the resource would expect credentials.

http://www.w3.org/TR/cors/#resource-requests

I guess this protects against developers blindly exposing credentials-protected resources to any possible client, including those that could run on plain-view http sites. Replying with the request's Origin URL in Access-Control-Allow-Origin seems to indicate enough of developers' awareness about allowing secrets travel globally.

$ curl -v https://www.googleapis.com/urlshortener/v1/url -X OPTIONS -H "Origin: http://foo" -H "Access-Control-Request-Method: GET"
* Hostname was NOT found in DNS cache
*   Trying 216.58.216.170...
* Connected to www.googleapis.com (216.58.216.170) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*    subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.storage.googleapis.com
*    start date: 2015-04-08 14:12:01 GMT
*    expire date: 2015-07-07 00:00:00 GMT
*    subjectAltName: www.googleapis.com matched
*    issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*    SSL certificate verify ok.
> OPTIONS /urlshortener/v1/url HTTP/1.1
> User-Agent: curl/7.38.0
> Host: www.googleapis.com
> Accept: */*
> Origin: http://foo
> Access-Control-Request-Method: GET
> 
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Date: Thu, 16 Apr 2015 03:56:29 GMT
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: DELETE,GET,HEAD,PATCH,POST,PUT
< Access-Control-Allow-Origin: http://foo
< Access-Control-Max-Age: 3600
< Vary: Origin
< Vary: X-Origin
< Content-Type: application/octet-stream
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Content-Length: 0
* Server GSE is not blacklisted
< Server: GSE
< Alternate-Protocol: 443:quic,p=0.5
< 
* Connection #0 to host www.googleapis.com left intact
eel ghEEz
  • 115
  • 4