0

XMLHttpRequest cannot load <website>. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '<otherwebsite>' is therefore not allowed access. The response had HTTP status code 401.

What I'm curious about is that last line at the end. There's some point in my php code that I can change the status code and it changes the number in that output. But if the browser is blocking the request, how is it possible that server side application code where this change is happening is being executed?

Sam Jacobs
  • 346
  • 1
  • 8
  • How is what possible? Question is not very clear – charlietfl Jul 15 '16 at 21:12
  • The browser can receive the http status code, in this case a "401 not authorized", but the same-origin policy disallows the page from loading after the status code and other headers are received, as it needs to read the headers to check for a CORS header anyway – adeneo Jul 15 '16 at 21:13
  • @charlietfl edited for more clarity. – Sam Jacobs Jul 15 '16 at 21:17
  • @adeneo thanks for your response. how can it be processing the request server side when this is what the same origin policy is attempting to disallow? The 401 is explicitly set in server side app code. – Sam Jacobs Jul 15 '16 at 21:18
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control – gladiola Jul 15 '16 at 21:21
  • 1
    doing a cross-domain ajax call means your browser hits the specified site with an `OPTIONS` request, so it can check that access-control header is present, and allows the request. that OPTIONS call ended up getting a 401 error. – Marc B Jul 15 '16 at 21:22
  • thanks @MarcB. Does that mean that controller code may be executed during an OPTIONS request? – Sam Jacobs Jul 15 '16 at 21:27
  • CORS is enforced by the client after the response is received, so that means the controller code will have run already. – Barmar Jul 15 '16 at 21:33
  • 1
    If you want the controller code to run on the server, just use the example here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control Check to see if your origin is as expected. If it was, then advise your receiving browser that the communication is valid by setting the header for header('Access-Control-Allow-Origin: ...) That CORS is there to cut down on cross site. That's why there are verification examples, etc. – gladiola Jul 15 '16 at 21:35

0 Answers0