6

Classic "Origin ... is not allowed by Access-Control-Allow-Origin" problem. Two machines serve contents for the same website. When machine A does a $('#main').load('link_to_resource_on_B') via jquery, machine B serves up the content with mod_python, adding Access-Control-Allow-Origin: * header. But for some reason, this still does not work. I tested this on Chrome, Safari, and Internet Explorer. And I tested via command line to check the response header, it seems Access-Control-Allow-Origin: * is successfully in the header from B. See below. What could i be missing?

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /tests/python/test/env HTTP/1.1
host: 10.0.1.10 

HTTP/1.1 200 OK
Date: Mon, 27 Feb 2012 02:05:33 GMT
Server: Apache/2.2.20 (Ubuntu)
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html
josh3736
  • 139,160
  • 33
  • 216
  • 263
user1170717
  • 61
  • 1
  • 1
  • 2
  • Are there any custom headers that are set by the client? Custom headers (or non-GET HTTP methods) could trigger a preflight request, which needs additional handling. – monsur Feb 27 '12 at 17:36
  • Thanks for the tips, @monsur. You are right, it was the OPTION header, and wasn't handled as it seems. A little research also told me that my jquery was too old. The newer jquery (since 1.5.2) deliberately avoids using customer header. So it boils down to, I upgraded my jquery, and my headache went away. For those others who suffer with the same symptom, this link provides me the second half of the enlightenment. [http://remysharp.com/2011/04/21/getting-cors-working/](http://remysharp.com/2011/04/21/getting-cors-working/) – user1170717 Feb 28 '12 at 07:19
  • @josh3736, thanks for helping me format my initial post. That was my first post. Will know what to do next time. – user1170717 Feb 28 '12 at 07:26

1 Answers1

7

Enabling Access-Control-Allow-Origin header in the response is not sufficient. Server side implementation should also provide proper handling for pre-flight OPTIONS request. Particularly, the following HTTP headers must be set in the OPTIONS response:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST

Consider replacing wildcard with the list of domains allowed to access the cross-origin server.

Have in mind that Access-Control-Allow-Origin HTTP header must be also set in the following GET & POST responses.

Other HTTP headers such as Access-Control-Allow-Headers might be also needed in OPTIONS response in case non-standard HTTP headers are used.

Great article explaining CORS can be found here

Alexander Pranko
  • 1,859
  • 17
  • 20