Here is my CORS middleware: <?php namespace App\Http\Middleware; use Closure; class CORS { /** * Handle an incoming request. * * @param \Illuminate\Http\Request $request * @param \Closure $next * @return mixed */ public function handle($request, Closure $next) { header(“Access-Control-Allow-Origin: *”); // ALLOW OPTIONS METHOD $headers = [ ‘Access-Control-Allow-Methods’=> ‘POST, GET, OPTIONS, PUT, DELETE’, ‘Access-Control-Allow-Headers’=> ‘Content-Type, … Read more
The CORS spec is all-or-nothing. It only supports *, null or the exact protocol + domain + port: http://www.w3.org/TR/cors/#access-control-allow-origin-response-header Your server will need to validate the origin header using the regex, and then you can echo the origin value in the Access-Control-Allow-Origin response header.
Based on the examples in “Changes to Cross-Origin Requests in Chrome Extension Content Scripts”, I replaced all invocations of fetch with a new method fetchResource, that has a similar API, but delegates the fetch call to the background page: // contentScript.js function fetchResource(input, init) { return new Promise((resolve, reject) => { chrome.runtime.sendMessage({input, init}, messageResponse => … Read more
Same-origin policy What is it? The same-origin policy is a security measure standardized among browsers. The “origin” mostly refers to a “domain”. It prevents different origins from interacting with each other, to prevent attacks such as Cross Site Request Forgery. How does a CSRF attack work? Browsers allow websites to store information on a client’s … Read more
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Component; @Component public class SimpleCORSFilter implements Filter { private final Logger log = LoggerFactory.getLogger(SimpleCORSFilter.class); public SimpleCORSFilter() { log.info(“SimpleCORSFilter init”); } @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException … Read more
do npm install cors –save and just add these lines in your main file where your request is going. const cors = require(‘cors’); const express = require(‘express’); const app = express(); app.use(cors());
This is a known bug with jQuery. The jQuery team has “no plans to support this in core and is better suited as a plugin.” (See this comment). IE does not use the XMLHttpRequest, but an alternative object named XDomainRequest. There is a plugin available to support this in jQuery, which can be found here: … Read more
Access-Control-Allow-Origin is a response header the server the request goes to must send. And all other Access-Control-Allow-* headers are response headers for servers to send. If you don’t control the server your request is sent to, and the problem with the response is just the lack of the Access-Control-Allow-Origin header or other Access-Control-Allow-* headers you … Read more
So what you do is… In the font files folder put an htaccess file with the following in it. <FilesMatch “\.(ttf|otf|eot|woff|woff2)$”> <IfModule mod_headers.c> Header set Access-Control-Allow-Origin “*” </IfModule> </FilesMatch> also in your remote CSS file, the font-face declaration needs the full absolute URL of the font-file (not needed in local CSS files): e.g. @font-face { … Read more
If you use Google Chrome browser you can hack with an extension. You can find a Chrome extension that will modify CORS headers on the fly in your application. Obviously, this is Chrome only, but I like that it works with zero changes anywhere at all. You can use it for debugging your app on … Read more