I’ve finally figured out an answer to this. There is at least one other situation where an Origin header may be “null”. When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to “null”. I suppose this is considered … Read more
The important thing to note here is that if the user is signed in to a site http://example.com/ and the request http://example.com/delete?id=1 deletes a post by the user, then the following code will delete the user’s post: <script src=”http://example.com/delete?id=1″ /> This is called a CSRF/XSRF attack (cross-site request forgery). This is why most server-side web … Read more
To be more specific, it is easy to make the mistake of thinking that if evil.example cannot make a request to good.example due to CORS then CSRF is prevented. There are two problems being overlooked, however: CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.example make … Read more
Short answer: Ensure the request URL in your code isn’t missing a trailing slash. A missing-trailing-slash problem is the most-common cause of the error cited in the question. But that’s not the only cause — just the most common. Read on for more details. When you see this error, it means your code is triggering … Read more
The default behavior of web browsers that initiate requests from a page via JavaScript (AKA AJAX) is that they follow the same-origin policy. This means that requests can only be made via AJAX to the same domain (or sub domain). Requests to an entirely different domain will fail. This restriction exists because requests made at … Read more
I was wondering the same thing, so after a bit of research I found that the easiest way was simply to use a JAX-RS ContainerResponseFilter to add the relevant CORS headers. This way you don’t need to replace the whole web services stack with CXF (Wildfly uses CXF is some form, but it doesn’t look … Read more
Preflight can only be applied to the request, not to the entire domain. I brought the same question up on the mailing list, and there were security concerns. Here’s the entire thread: http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0228.html There are a few things to consider if you’d like to limit the number of preflight requests. First note that WebKit-based browsers … Read more
The simple answer is to set the Access-Control-Allow-Origin header to localhost or *. Here’s how I usually do it: Create a simple middleware called Cors: php artisan make:middleware Cors Add the following code to app/Http/Middleware/Cors.php: public function handle($request, Closure $next) { return $next($request) ->header(‘Access-Control-Allow-Origin’, ‘*’) ->header(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS’); } You can replace … Read more
CORS is implemented in such a way that it does not break assumptions made in the pre-CORS, same-origin-only world. In the pre-CORS world, a client could trigger a cross-origin request (for example, via a script tag), but it could not read the response headers. In order to ensure that CORS doesn’t break this assumption, the … Read more
The quickest way to do this is to filter on -method:OPTIONS. Explanation: all pre-flight requests are via the HTTP OPTIONS method (opposed to POST or GET). This filter says “not method OPTIONS”. Note the leading hyphen because if you forget it, you’ll only show pre-flight requests.