First of all those similars questions does not fit my situation, I've tried all the .htaccess solutions already.
I have a WordPress site (A) which handles the reservation form, and the form submit to another server (B) which handle the data (as well as follow up customer and payment), after the submission success I need to redirect to thanks-you page in A. but this happens
XMLHttpRequest cannot load B. Redirect from 'B' to 'A/thanks-you/' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'A' is therefore not allowed access.
I understand that by setting the response header from B will fix the issue, but I don't have access to it. (Already tested)
So my question is it possible to work on server A to fix this?
Thanks for all the comments and answer.
This CORS issue is troubling many, try below option it may help you.
Just changed Origin URL from http to https and issue resolved in my case. There is another way to fix an issue too.
REF : https://crunchify.com/how-to-fix-access-control-allow-origin-issue-for-your-https-enabled-wordpress-site-and-maxcdn/
just add below line into your .htaccess file.
Header set Access-Control-Allow-Origin "*"
Related
I am working on a wordpress website and I have installed mautic plugin into the website. Now issue is that I am getting the following error in the console. Cloud flare is also enabled.
Access to XMLHttpRequest at 'https://mautic.my-domain.com/mtc/event' from origin 'https://www.my-domain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I have tried different solutions for the issue but never get rid of this error.
I have tried by removing the trailing slash (/) from the domain name.
I have also used the " Header set Access-Control-Allow-Credentials: true Header set Access-Control-Allow-Origin 'https://www.my-domain.com' "
I have read many threads here at stack overflow, github and mautic forum but Still looking for the solution. Please help in this regard and thank you in advance
In Mautic
Configurations > System Settings > CORS Settings
either set it to NO in order to not restrict domains,
or set it to YES and Add domain you want to allow.
I have a company website that's hosted as https://foo.bar.com.
However, it was incorrectly conveyed to a lot of users that the URL would be www.foo.bar.com. Until this can be rectified, we are putting through an interim solution by setting up a proxy site www.foo.bar.com that will redirect any users coming to it to https://foo.bar.com.
This works... but only the first time the user navigates to the page. The next time I try to access www.foo.bar.com, due to caching, the browser takes me to https://www.foo.bar.com. We don't have a certificate set up for https://www.foo.bar.com and as a result are given a NET::ERR_CERT_COMMON_NAME_INVALID error.
Is there a way to work around this without needing a certificate?
To test, I've even tried returning a webpage when the I navigate to www.foo.bar.com with a link that navigates to https://foo.bar.com. However, the same issue happens even in this case. I'm guessing HSTS is at play here but not sure how to go about it.
I'd appreciate any insight into this matter, thank you in advance.
I belive the only solution to your problem is to obtain a valid certificate for www.foo.bar.com. Due to the certificate error the browsers will not attempt to communicate with your server so there's no way for you to issue a redirect away from wrong domain to the correct domain.
Why only the second time?
You mention HSTS so I am assuming https://foo.bar.com is sending a Strict-Transport-Security header as part of it's response. This header likely is being sent with the includeSubDomains option which instructs the browser to not only enforce HTTPS on foo.bar.com but also all subdomains of that main domain. As a result, when trying to request www.foo.bar.com the browser matches that HSTS rule and automatically re-writes it to use HTTPS.
Once this HSTS rule has been set in the browser it cannot be removed except by expiring, either by exceeing the original max-age time or by issuing another Strict-transport-security header with max-age=0 on https://foo.bar.com
Refused to display 'http://sotaexchange.cloudapp.net/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
I redirect my domain sotaexchange.com to a Discourse forum but get the above error. If I switch it to an HTTP redirect there is no problem. I assume the problem is because my redirected to domain has the same text as the original domain and looks like trickery - what can I do to prevent this?
Edit
I am opening a bounty to get a better answer. For more info, I am currently using Windows Azure to host the discourse site and redirecting from a few other domains that I own. I don't want to use an HTTP redirect, I would like to use the Frame redirect.
It looks like you are trying to mask the url of the forum. Why don't you use the cname feature? See cname on azure for more info.
The same origin policy requires that the document or script doing the accessing (the parent) have the same protocol , port, and domain as the resource it's accessing (the child).
If I understand correctly, you have a frame in a page on the domain sotaexchange.com, and it's trying to display content from the domain sotaexchange.cloudapp.net. This violates the same origin policy, and many browsers will reject it. A regular HTTP redirect should always be ok.
I'm having difficulty reconciling some conflicting information from StackOverflow and other sources regarding the use of calls across sub-domains. Consider these two independent sites that share a common domain:
site #1: www.myDomain.com
site #2: sub.myDomain.com
Requirements:
Site #1 must be able to execute an AJAX call to site #2 by way of sub.myDomain.com/handler.ashx.
Site #1 and Site #2 must be able to read each other's cookies.
These requirements lead me to the following questions:
Does the handler code located at sub.myDomain.com/handler.ashx need to alter its response headers to allow CORS? I know that I can write a call like this:
resp.Headers.Add("Access-Control-Allow-Origin","*");
…but from what I read, this will expose the handler to all domains. I just want to limit the calls to those originating from *.myDomain.com. What if I don't include the CORS header at all? What's the default behavior?
Do Site #1 and/or Site #2 need to tweak the Domain property of HttpCookie in order for the two sites to read each other's cookies?
What if I don't touch the Domain properties at all? What's the default behavior? Some forum responses suggest that cookie scope will be limited to the subdomain, while others suggest the entire domain is in scope (which is what I want) in which case no action would be required on my part.
If you add "*" for attribute "Access-Control-Allow-Origin" you allow to all sites to call your handler.
in www.myDomain.com handler response you have to add something like this
context.Response.AppendHeader("Access-Control-Allow-Origin", "sub.myDomain.com");
In this way only sub.myDomain.con can have a response from www.myDomain.com
The CORS spec is all-or-nothing. It can supports *, null or the exact domain: http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
In your ASHX handler you will need to validate the origin header using the regex, and then you can echo the origin value in the Access-Control-Allow-Origin response header.
I am new to this thing, so there is some questions I wanted to ask after looking up bunch of site that related to CORS.
First of all, lets say i have http://domain1.com that has a ajax call to http://domain2.com, I look up on http://enable-cors.org/server.html it say that I will have to add
Access-Control-Allow-Origin: *
this response to my page header or add this setting to web.config on the root directory of my application, but I was confused, should I add the response header to domain1 or domain2 application? My guess was add to domain2, but I cannot be sure because I don't have the required things to test it.
Furthermore, what if domain2.com were in https, means I am calling from http to https, will this works?
and how about IE?
You should add it on http://domain2.com because Access-Control-Allow-Origin is permission for http://domain1.com to get information from http://domain2.com.
Note that (*) symbol means that domain allows access to everyone, so you need to be careful with that. Better option would be:
Access-Control-Allow-Origin: http://domain1.com
It work fine for IE and for https:
Access-Control-Allow-Origin: http://domain1.com, https://domain1.com
Take a look for more information here.