I have deployed two applications in a private JVM/tomcat 8.5.30 on my vps.
The one is my ROOT.war and the other one is the admin.war
They are accesible from http://example.com and http://example.com/admin
Before I installed a ssl certificate everything worked fine. After installing it and forcing https redirect I am facing a problem with my admin.war (now they are both accesible from https://example.com and https://example.com/admin)
In a lot of jqueries I am getting this error
Access to XMLHttpRequest at 'http: //example.com/admin/add' from origin 'https: //example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Is there any configuration that I can do on my tomcat to solve this?
I would truly appreciate any tip!!!
Related
I have a webpage with http loaded content,
and this font page with https:
https://fonts.googleapis.com/css?family=Oswald:300,700,regular&subset=latin-ext
which I have embeded in the first page.
When I am loading the page, it's displaying the error below:
has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space local.
Is there anything I can do about it on Apache ?
With CORS-rfc1918, chrome will be mandating public websites accessing private content use HTTPS.
FIX: You can either serve the content behind HTTPS, or else in your browser flags (eg chrome://flags) disable Block insecure private network requests
block-insecure-private-network-requests:
With this flag turned on, any requests to a private network resource from an HTTP website will be blocked.
add header Access-Control-Allow-Private-Network
https://developer.chrome.com/blog/private-network-access-update/
I have configure my domain and SSL in AWS EC2 instance. When i write domain in browser, amazon test page has been loaded successfully but in browser console, it shows below error:
Request URL: https://xxxxx.com/
Request Method: GET
Status Code: 403 Forbidden
Remote Address: xx.xx.xx.xx:443
Referrer Policy: no-referrer-when-downgrade
Even when i test my domain in tools like "pingdom", it also display "403 Forbidden" in response code.
Can anyone provide solution to fix "403 Forbidden" issue?
This means your web server (apache, nginx ) https directory is different than HTTP
forbidden probably means you don't have index page in the www folder, for example, index.html, usually for the HTTP port there is a welcome page in the default configuration but not for https
I am trying to setup converse on my website with BOSH, using an Apache web server. Currently, I am getting the following error:
Access to XMLHttpRequest at 'http://localhost:7070/' (redirected from 'http://localhost/http-bind') from origin 'http://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is despite the fact that I have enabled Access-Control-Allow-Origin in Apache 2.4, and the header shows up on the webpage where the client is sitting, at https://localhost/index.php. The Apache httpd.conf has, at root level:
Header set Access-Control-Allow-Origin *
Header set Access-Control-Allow-Credentials true
And Apache redirects from localhost/http-bind to localhost:7070, the XMPP server's BOSH port:
RewriteEngine On
RewriteRule ^/http-bind(.*)$ http://localhost:7070$1 [L]
The XMPP server, OpenFire, has BOSH and CORS enabled.
Converse's initialize method contains this line:
bosh_service_url: 'http://localhost/http-bind',
How can I get converse on my website to use BOSH via CORS?
I have the following in my .htaccess file:
Header set Access-Control-Allow-Origin: "*"
It works perfectly! But it is bad security practise.
When I change it to:
Header set Access-Control-Allow-Origin: "http://example.com"
I get the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.com/oc/catalog/view/javascript/font-awesome/fonts/fontawesome-webfont.woff2?v=4.4.0. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://example.com').
How do I handle this?
From the live site:
Font from origin 'http://arvindint.com' has been blocked from loading by Cross-Origin Resource Sharing policy: The 'Access-Control-Allow-Origin' header has a value 'http://arvindint.com' that is not equal to the supplied origin. Origin 'http://www.arvindint.com' is therefore not allowed access.
From a comment from the OP:
Please note, I get this error when accessing the website through www.example.com instead of example.com
That is your problem.
If you give permission to example.com but not to www.example.com then you can't access it from www.example.com.
Permissions are on a per-origin basis, not on a per-second-level-domain basis.
Pick one of the two host names (with or without www) and stick to it. Redirect from one to the other. Don't host your site on two different host names. Doing so is more trouble than it is worth.
I'am getting an error in Gchrome Console
XMLHttpRequest cannot load http://example.com:7070/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.com' is therefore not allowed access.
I can access http-bind http://example.com:7070/ below is my
.htaccess file
RewriteRule http-bind/ http://example.com:7070/
How to fix this?
What you're trying to do is a reverse proxy. http://example.com:7070/ is tecnically another source, so it's being prevented from loading.
You have a few options.
Configure a reverse proxy on apache config file,
Implement it on .htaccess like this
Implement CORS on example.com:7070