I am trying to setup converse on my website with BOSH, using an Apache web server. Currently, I am getting the following error:
Access to XMLHttpRequest at 'http://localhost:7070/' (redirected from 'http://localhost/http-bind') from origin 'http://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is despite the fact that I have enabled Access-Control-Allow-Origin in Apache 2.4, and the header shows up on the webpage where the client is sitting, at https://localhost/index.php. The Apache httpd.conf has, at root level:
Header set Access-Control-Allow-Origin *
Header set Access-Control-Allow-Credentials true
And Apache redirects from localhost/http-bind to localhost:7070, the XMPP server's BOSH port:
RewriteEngine On
RewriteRule ^/http-bind(.*)$ http://localhost:7070$1 [L]
The XMPP server, OpenFire, has BOSH and CORS enabled.
Converse's initialize method contains this line:
bosh_service_url: 'http://localhost/http-bind',
How can I get converse on my website to use BOSH via CORS?
Related
I'm having an issue using the keycloak-js adapter on a React front-end.
After login a duplicated 'Access-Control-Allow-Origin' on the /token endpoint causes a CORS error:
Access to XMLHttpRequest at 'https://accounts.example.com/auth/realms/myRealm/protocol/openid-connect/token' from origin 'https://example.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'https://example.com, *', but only one is allowed.
The response header:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Access-Control-Allow-Methods
Keycloak 9 is running in standalone mode behind an Nginx proxy on https://accounts.example.com.
The keycloak-js adapater configuration:
{
"realm": myRealm,
"url": https://accounts.example.com/auth,
"clientId": myClientId,
"enable_cors": true
}
I already tried multiple combinations for the client "Web Origins":
https://example.com, *, +, but I can't figure out why I got an extra Header Access-Control-Allow-Origin: *.
We have discovered that our own proxy were writing Access-Control-Allow-Origin header as well. That's why together with keycloak we got it twice.
Our devops team has fixed the code of our proxy and it works now.
* is not valid value for Access-Control-Allow-Origin for sites running on https.
Remove * from web origins client configuration in the Keycloak and configure all used web origin explicitly (no wildchars).
I have deployed two applications in a private JVM/tomcat 8.5.30 on my vps.
The one is my ROOT.war and the other one is the admin.war
They are accesible from http://example.com and http://example.com/admin
Before I installed a ssl certificate everything worked fine. After installing it and forcing https redirect I am facing a problem with my admin.war (now they are both accesible from https://example.com and https://example.com/admin)
In a lot of jqueries I am getting this error
Access to XMLHttpRequest at 'http: //example.com/admin/add' from origin 'https: //example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Is there any configuration that I can do on my tomcat to solve this?
I would truly appreciate any tip!!!
I have the following in my .htaccess file:
Header set Access-Control-Allow-Origin: "*"
It works perfectly! But it is bad security practise.
When I change it to:
Header set Access-Control-Allow-Origin: "http://example.com"
I get the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.com/oc/catalog/view/javascript/font-awesome/fonts/fontawesome-webfont.woff2?v=4.4.0. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://example.com').
How do I handle this?
From the live site:
Font from origin 'http://arvindint.com' has been blocked from loading by Cross-Origin Resource Sharing policy: The 'Access-Control-Allow-Origin' header has a value 'http://arvindint.com' that is not equal to the supplied origin. Origin 'http://www.arvindint.com' is therefore not allowed access.
From a comment from the OP:
Please note, I get this error when accessing the website through www.example.com instead of example.com
That is your problem.
If you give permission to example.com but not to www.example.com then you can't access it from www.example.com.
Permissions are on a per-origin basis, not on a per-second-level-domain basis.
Pick one of the two host names (with or without www) and stick to it. Redirect from one to the other. Don't host your site on two different host names. Doing so is more trouble than it is worth.
I'am getting an error in Gchrome Console
XMLHttpRequest cannot load http://example.com:7070/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.com' is therefore not allowed access.
I can access http-bind http://example.com:7070/ below is my
.htaccess file
RewriteRule http-bind/ http://example.com:7070/
How to fix this?
What you're trying to do is a reverse proxy. http://example.com:7070/ is tecnically another source, so it's being prevented from loading.
You have a few options.
Configure a reverse proxy on apache config file,
Implement it on .htaccess like this
Implement CORS on example.com:7070
My website supports both http and https protocols. However using the code below in .htaccess file, I can only set one domain to allow CORS requests:
Header set Access-Control-Allow-Origin: http://example.com
I want to allow CORS for both http and https versions of my site (not just "*") and tried the solutions here:
Access-Control-Allow-Origin Multiple Origin Domains?
But the problem is that all solutions rely on Origin header in the request which may not exist and also is not secure. (anyone can put a origin header in their request)
I want to know if the request has been served over https and use this info to set the proper CORS header. Something like this:
SetEnvIf servedOverHttps httpsOrigin=true
Header set Access-Control-Allow-Origin: https://example.me env=httpsOrigin
SetEnvIf notServedOverHttps httpOrigin=true
Header set Access-Control-Allow-Origin: http://example.me env=httpOrigin
How can I find out that it's a https request?
Have you tried using HTTPS variable?
It will be set to "on" for all https requests.
Your .htaccess should look like this
Header set Access-Control-Allow-Origin: http://example.com #default
Header set Access-Control-Allow-Origin: https://example.com env=HTTPS #override if https