0

I'm working on an Angular web application. I need to make a POST request with a XML body to a server I don't have control over. The request needs an Authorization header. I tried the following:

  • Send the request directly: It only works when the application is served on http://localhost. Otherwise, the browser shows the following error: Access to XMLHttpRequest at 'server.com' from origin 'my-server.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource..
  • Use a browser extension that adds the missing header to responses: Unsafe, because the extension adds Access-Control-Allow-Origin: * to responses from all domains and that header allows requests from any domain.
  • Disable browser security: I ran Chrome using this command: chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security. Works when the application is running on a HTTPS server. However, it's unsafe, for the same reasons stated for the previous approach.
  • Use a third-party proxy: Works for a few requests, but the server blocks the proxy IP because the requests of all clients pass through the same proxy.

My project requires to bypass browser security without compromising security for non-related domains. My project also requires a different IP to be sent to the server by each client. That's required so that if a client overuses the feature, it won't affect other clients.

Is there a way I can add Access-Control-Allow-Origin: my-server.com to all responses or add the header only for a specific server? Is there a way I can redirect each request to a different IP so that the server won't block all my clients? Are there any other workarounds?

Kamil Naja
  • 6,267
  • 6
  • 33
  • 47
Marcelo Henrique Bittencourt
  • 183
  • 1
  • 9
  • does this server accepts `Content-Type: application/x-www-form-urlencoded ` ? – Taki Sep 24 '19 at 19:58
  • If you can send the request from your back end, that will help you. Plenty of CORS related articles on S/Overflow. I think you've outlined the major issues with doing it from the front end: e.g. https://stackoverflow.com/questions/23612266/suppress-options-requests-in-angular-cors, https://stackoverflow.com/questions/51606925/httpclient-angular-cors-twilio – Farasi78 Sep 24 '19 at 20:00
  • The browser extension is probably the best bet given your requirements, I'm not sure why you couldn't program the extension to only modify the response headers for the domain in question. I know for instance that Chrome extensions are only active when on domains where the extension has been given permissions, or am I missing something? – Jake Holzinger Sep 24 '19 at 20:03

1 Answers1

0

For protection of end users browsers block requests to other servers. Yes, you can have a cors browser extension but that is a temporary solution.

You need to set up an endpoint on your server 'my-server.com' to consume your web application post requests. From there you can communicate with the server you don't own and set up your proper auth headers ect.

Nick Lee
  • 842
  • 2
  • 11
  • 27