cors interview questions
Top cors frequently asked interview questions
I am trying to support CORS in my Node.js application that uses the Express.js web framework. I have read a Google group discussion about how to handle this, and read a few articles about how CORS works. First, I did this (code is written in CoffeeScript syntax):
app.options "*", (req, res) ->
res.header 'Access-Control-Allow-Origin', '*'
res.header 'Access-Control-Allow-Credentials', true
# try: 'POST, GET, PUT, DELETE, OPTIONS'
res.header 'Access-Control-Allow-Methods', 'GET, OPTIONS'
# try: 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept'
res.header 'Access-Control-Allow-Headers', 'Content-Type'
# ...
It doesn't seem to work. It seems like my browser (Chrome) is not sending the initial OPTIONS request. When I just updated the block for the resource I need to submit a cross-origin GET request to:
app.get "/somethingelse", (req, res) ->
# ...
res.header 'Access-Control-Allow-Origin', '*'
res.header 'Access-Control-Allow-Credentials', true
res.header 'Access-Control-Allow-Methods', 'POST, GET, PUT, DELETE, OPTIONS'
res.header 'Access-Control-Allow-Headers', 'Content-Type'
# ...
It works (in Chrome). This also works in Safari.
I have read that...
In a browser implementing CORS, each cross-origin GET or POST request is preceded by an OPTIONS request that checks whether the GET or POST is OK.
So my main question is, how come this doesn't seem to happen in my case? Why isn't my app.options block called? Why do I need to set the headers in my main app.get block?
Source: (StackOverflow)
The following works in all browsers except IE (I'm testing in IE 9).
jQuery.support.cors = true;
...
$.ajax(
url + "messages/postMessageReadByPersonEmail",
{
crossDomain: true,
data: {
messageId : messageId,
personEmail : personEmail
},
success: function() {
alert('marked as read');
},
error: function(a,b,c) {
alert('failed');
},
type: 'post'
}
);
I have another function which uses dataType: 'jsonp', but I don't need any data returned on this AJAX call. My last resort will be to return some jibberish wrapped in JSONP just to make it work.
Any ideas why IE is screwing up with a CORS request that returns no data?
Source: (StackOverflow)
I'm receiving the following error on a couple of Chrome browsers but not all. Not sure entirely what the issue is at this point.
Font from origin 'https://ABCDEFG.cloudfront.net' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://sub.domain.com' is therefore not allowed access.
I have the following CORS Configuration on S3
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedHeader>*</AllowedHeader>
<AllowedMethod>GET</AllowedMethod>
</CORSRule>
</CORSConfiguration>
The request
Remote Address:1.2.3.4:443
Request URL:https://abcdefg.cloudfront.net/folder/path/icons-f10eba064933db447695cf85b06f7df3.woff
Request Method:GET
Status Code:200 OK
Request Headers
Accept:*/*
Accept-Encoding:gzip,deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Host:abcdefg.cloudfront.net
Origin:https://sub.domain.com
Pragma:no-cache
Referer:https://abcdefg.cloudfront.net/folder/path/icons-e283e9c896b17f5fb5717f7c9f6b05eb.css
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
All other requests from Cloudfront/S3 work properly, including JS files.
Source: (StackOverflow)
My site uses http and https protocol; it doesn't affect the content. My site uses jQuery ajax calls, which fills some areas on the page, too.
Now, I would like to do all ajax calls over https. (please dont ask me why :))
When I am on a page with https protocol, ajax requests are working.
When I'm on a page with http protocol, I get a javascript error:
Access to restricted URI denied
I know that this is a cross domain problem (in fact, it's a cross protocol problem), and I know that I should use the same protocol in ajax calls as on the current page.
Still, I want to all ajax calls to be https, and call them on a page that was served over http.
Is there any workaround to achieve this (some json/proxy solution?), or is it simply impossible?
Source: (StackOverflow)
Okay, I have a page on and on this page I have an iframe. What I need to do is on the iframe page, find out what the URL of the main page is.
I have searched around and I know that this is not possible if my iframe page is on a different domain, as that is cross-site scripting. But everywhere I've read says that if the iframe page is on the same domain as the parent page, it should work if I do for instance:
parent.document.location
parent.window.document.location
parent.window.location
parent.document.location.href
... or other similar combos, as there seems to be multiple ways to get the same info.
Anyways, so here's the problem. My iframe is on the same domain as the main page, but it is not on the same SUB domain. So for instance I have
http:// www.mysite.com/pageA.html
and then my iframe URL is
http:// qa-www.mysite.com/pageB.html
When I try to grab the URL from pageB.html (the iframe page), I keep getting the same access denied error. So it appears that even sub-domains count as cross-site scripting, is that correct, or am I doing something wrong?
Source: (StackOverflow)
I am having trouble getting a cross domain cors request to work correctly using chrome.
Request Headers:
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:origin, content-type
Access-Control-Request-Method:POST
Connection:keep-alive
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
Response headers:
Access-Control-Allow-Headers:*
Access-Control-Allow-Origin:*
Allow:GET, POST, OPTIONS
Content-Length:0
Date:Tue, 30 Oct 2012 20:04:28 GMT
Server:BaseHTTP/0.3 Python/2.7.3
Error:
XMLHttpRequest cannot load domain. Request header field Content-Type is not allowed by Access-Control-Allow-Headers.
And the python code serving the options request is:
self.send_response(200)
self.send_header('Allow', 'GET, POST, OPTIONS')
self.send_header('Access-Control-Allow-Origin', '*')
self.send_header('Access-Control-Allow-Headers', '*')
self.send_header('Content-Length', '0')
self.end_headers()
It seems the Access-Control-Allow-Origin wildcard is being ignored?
Source: (StackOverflow)
I've been doing a lot of research and could not find a way to handle this. I'm trying to perform a jQuery ajax call from an https server to a locahost https server running jetty with a custom self signed certificate. My problem is that I cannot determine whether the response is a connection refused or a insecure response (due to the lack of the certificate acceptance). Is there a way to determine the difference between both scenarios? The responseText, and statusCode are always the same in both cases, even though in the chrome console I can see a difference:
net::ERR_INSECURE_RESPONSE
net::ERR_CONNECTION_REFUSED
responseText is always "" and statusCode is always "0" for both cases.
My question is, how can I determine if a jQuery ajax call failed due to ERR_INSECURE_RESPONSE or due to ERR_CONNECTION_REFUSED?
Once the certificate is accepted everything works fine, but I want to know whether the localhost server is shut down, or its up and running but the certificate has not yet been accepted.
$.ajax({
type: 'GET',
url: "https://localhost/custom/server/",
dataType: "json",
async: true,
success: function (response) {
//do something
},
error: function (xhr, textStatus, errorThrown) {
console.log(xhr, textStatus, errorThrown); //always the same for refused and insecure responses.
}
});
Even performing manually the request I get the same result:
var request = new XMLHttpRequest();
request.open('GET', "https://localhost/custom/server/", true);
request.onload = function () {
console.log(request.responseText);
};
request.onerror = function () {
console.log(request.responseText);
};
request.send();
Source: (StackOverflow)
I'm wondering if it's possible to debug CORS requests using cURL. So far I couldn't find any way to "simulate" the preflight request .
Source: (StackOverflow)
My WebAPI was deployed in the Intranet environment. That means security was not my concern.
It seems that CORS is much more friendly to the client and easier to implement.
Any other concerns I might have missed?
Source: (StackOverflow)
I am using CORS to call a cross domain API, however Internet Explorer is giving issues. CORS should be possible in IE8 and IE9 through the XDomainRequest object, however I can't get things to work..
JQuery refuses to provide native support for XDomainRequest, however several jQuery plugins are suggested to add this support. This topic suggest two such plugins: jQuery.XDomainRequest.js and xdr.js, which has been reported to work. Afaik, the plugins should automatically override behavior of jQuery.ajax. I found another plugin here.
I put a little demo pages with the respective plugins jQuery.XDomainRequest and xdr and jquery.ie.cors that perform ajax requests to a CORS enabled server. The pages are working in Chrome and Firefox, however IE8/9 instantly throw a permission denied error (even before making the request). This MSDN post suggest adding another handler xhr.onprogress = function() {}; but I tried this and it isn't working either.
Any clues what I am doing wrong? I have also tested with IE8 now using MS virtual server, but it has exactly the same problem.
Edit: OK so I figured out that part of the problem was that I was using POST over HTTPS. Apparently XDomainRequest does not allow CORS over HTTPS. I can switch to HTTP but I really need POST.
Edit2: See this issue on github for the end of this story. It turns out that when using HTTP POST, the xDomainRequest can only encode the request body (arguments) as text/plain. This pretty much makes it worthless, because everyone uses application/x-www-form-urlencoded or multipart/form-data.
Summary: I highly recommend not investing any time in XDomainRequest, because it is a terribly poor implementation with many limitations. It basically only really works for GET requests to non-ssl servers, so you might as well use jsonp or whatever.
Source: (StackOverflow)
I have a setup involving
Frontend server (Node.js, domain: localhost:3000) <---> Backend (Django, Ajax, domain: localhost:8000)
Browser <-- webapp <-- Node.js (Serve the app)
Browser (webapp) --> Ajax --> Django(Serve ajax POST requests)
Now, my problem here is with CORS setup which the webapp uses to make Ajax calls to the backend server. In chrome, I keep getting
Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
doesn't work on firefox either.
My Node.js setup is:
var allowCrossDomain = function(req, res, next) {
res.header('Access-Control-Allow-Origin', 'http://localhost:8000/');
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
};
And in Django I'm using this middleware along with this
The webapp makes requests as such:
$.ajax({
type: "POST",
url: 'http://localhost:8000/blah',
data: {},
xhrFields: {
withCredentials: true
},
crossDomain: true,
dataType: 'json',
success: successHandler
});
So, the request headers that the webapp sends looks like:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept"
Access-Control-Allow-Methods: 'GET,PUT,POST,DELETE'
Content-Type: application/json
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: csrftoken=***; sessionid="***"
And here's the response header:
Access-Control-Allow-Headers: Content-Type,*
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE
Content-Type: application/json
Where am I going wrong?!
Edit 1: I've been using chrome --disable-web-security, but now want things to actually work.
Edit 2: Answer:
So, solution for me django-cors-headers config:
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = (
'http://localhost:3000' # Here was the problem indeed and it has to be http://localhost:3000, not http://localhost:3000/
)
Source: (StackOverflow)
How can I disable cors? For some reason I wild carded the allowed origins and headers yet my ajax requests still complain that the origin was not allowed by my CORS policy....
My applications controller :
class ApplicationController < ActionController::Base
protect_from_forgery
before_filter :current_user, :cors_preflight_check
after_filter :cors_set_access_control_headers
# For all responses in this controller, return the CORS access control headers.
def cors_set_access_control_headers
headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS'
headers['Access-Control-Allow-Headers'] = '*'
headers['Access-Control-Max-Age'] = "1728000"
end
# If this is a preflight OPTIONS request, then short-circuit the
# request, return only the necessary headers and return an empty
# text/plain.
def cors_preflight_check
if request.method == :options
headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS'
headers['Access-Control-Allow-Headers'] = '*'
headers['Access-Control-Max-Age'] = '1728000'
render :text => '', :content_type => 'text/plain'
end
end
private
# get the user currently logged in
def current_user
@current_user ||= User.find(session[:user_id]) if session[:user_id]
end
helper_method :current_user
end
routes:
match "*all" => "application#cors_preflight_check", :constraints => { :method => "OPTIONS" }
match "/alert" => "alerts#create"
match "/alerts" => "alerts#get"
match "/login" => "sessions#create"
match "/logout" => "sessions#destroy"
match "/register" => "users#create"
Edit---
I also tried:
config.middleware.use Rack::Cors do
allow do
origins '*'
resource '*',
:headers => :any,
:methods => [:get, :post, :delete, :put, :options]
end
end
in application.rb
--edit 2---
The problem is that Chrome Extensions may not support CORS I think. How can I fetch information bypassing CORS? How should I respond to the preflight check?
Source: (StackOverflow)
I am tying to make a cross domain http request to WCF service (that I own). I have read several techniques for working around the cross domain scripting limitations. Because my service must accommodate both GET and POST requests I cannot implement some dynamic script tag whose src is the url of a GET request. Since I am free to make changes at the server I have begun to try to implement a workaround that involves configuring the server responses to include the, "Access-Control-Allow-Origin" header and 'preflight' requests with and OPTIONS request. I got the idea from this post : Getting CORS working
At the server side, my web method is adding 'Access-Control-Allow-Origin: *' to the http response. I can see that responses do include this header now. My question is: How do I 'preflight' a request (OPTIONS)? I am using jQuery.getJSON to make the GET request but the browser cancels the request right away with the infamous:
Orgin http://localhost is not allowed by Access-Control-Allow-Origin
Is anyone familar with this CORS technique? What changes need to be made at the client to preflight my request?
Thanks!
Source: (StackOverflow)
I'm trying to make a Cross Origin post request, and I got it working in plain Javascript like this:
var request = new XMLHttpRequest();
var params = "action=something";
request.open('POST', url, true);
request.onreadystatechange = function() {if (request.readyState==4) alert("It worked!");};
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.setRequestHeader("Content-length", params.length);
request.setRequestHeader("Connection", "close");
request.send(params);
But I would like to use jQuery, but I can't get it to work. This is what I'm trying:
$.ajax(url, {
type:"POST",
dataType:"json",
data:{action:"something"},
success:function(data, textStatus, jqXHR) {alert("success");},
error: function(jqXHR, textStatus, errorThrown) {alert("failure");}
});
This results in Failure. If anyone knows why jQuery doesn't work, please let us all know. Thanks.
(I'm using jQuery 1.5.1, and Firefox 4.0, and my server is responding with a proper Access-Control-Allow-Origin header)
Source: (StackOverflow)
I can't figure out why my .htaccess header settings doesn't work.
My .htaccess file content:
Header set Access-Control-Allow-Origin *
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "*"
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
But when I remove Header's and add them in index.php then everything works fine.
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: *");
What am i missing?
Source: (StackOverflow)