I am having problems with CORS, which I can't seem to resolve.
My setup:
- Router/Hotspot on network A
- Webserver on network B
What I am trying to do, is... The user inputs his email into the Hotspot entry page, and when he clicks submit, the email is sent to the webserver (currently using XAMPP), this is where the CORS problem occures.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://myIpAddress:8080/DBinsert.php. (Reason: CORS header 'Access-Control-Allow-Origin' missing.
Perviously I had header('Access-Control-Allow-Origin: *'); set and I had no CORS problems...
I have tried adding this code to the very beginning of my php, but it still doesn't work...
header('Access-Control-Allow-Origin: http://10.5.50.*');
I have also tried
header('Access-Control-Allow-Origin: http://10.5.50.*:8080');
and it doesn't work...
The puters IP is 10.5.50.3
Any help and explenations would be wele.
Thank you.
I am having problems with CORS, which I can't seem to resolve.
My setup:
- Router/Hotspot on network A
- Webserver on network B
What I am trying to do, is... The user inputs his email into the Hotspot entry page, and when he clicks submit, the email is sent to the webserver (currently using XAMPP), this is where the CORS problem occures.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://myIpAddress:8080/DBinsert.php. (Reason: CORS header 'Access-Control-Allow-Origin' missing.
Perviously I had header('Access-Control-Allow-Origin: *'); set and I had no CORS problems...
I have tried adding this code to the very beginning of my php, but it still doesn't work...
header('Access-Control-Allow-Origin: http://10.5.50.*');
I have also tried
header('Access-Control-Allow-Origin: http://10.5.50.*:8080');
and it doesn't work...
The puters IP is 10.5.50.3
Any help and explenations would be wele.
Thank you.
Share Improve this question edited Apr 2, 2022 at 10:24 sideshowbarker♦ 88.2k29 gold badges215 silver badges211 bronze badges asked Jan 24, 2020 at 15:13 DrDoomDrDoom 3251 gold badge2 silver badges13 bronze badges 5- What are the exact error messages the browser is logging in the devtools console? In particular, what is the origin cited in the from origin [origin] part of the error message? – sideshowbarker ♦ Commented Jan 27, 2020 at 2:54
- What’s the HTTP status code of the response? You can use the Network pane in browser devtools to check. Is it a 4xx or 5xx error rather than a 200 OK success response? – sideshowbarker ♦ Commented Jan 27, 2020 at 2:55
-
HTTP status code is 200. The exact error message (I only get one) is:
Access to XMLHttpRequest at 'http://myIpAddress:8080/DBinsert.php' from 'http://10.5.50.1' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains invalid value '10.5.50.*'.– DrDoom Commented Jan 27, 2020 at 8:25 -
1
The value of the Access-Control-Allow-Origin response header must either be the single character
*or else an exact origin value such ashttp://10.5.50.3. Browsers do an exact match against the value, so10.5.50.*won’t match anything — browsers don’t interpret the asterisk in10.5.50.*as a wildcard. And not also that the Access-Control-Allow-Origin value must include the protocol part; sohttp://10.5.50.3is a valid value for the header, but10.5.50.3would not be. – sideshowbarker ♦ Commented Jan 27, 2020 at 8:33 - Ok. Thank you. Though I could "tighten" the control, but I guess thats not possible. Please write an anwser so I can accept it =) Thank you. – DrDoom Commented Jan 27, 2020 at 8:51
2 Answers
Reset to default 11Access-Control-Allow-Origin response-header values must either be the single character * or else an exact origin value, such as http://10.5.50.3.
Unless the Access-Control-Allow-Origin value is just the character *, then browsers do an exact match against the literal value of the header; therefore, 10.5.50.* (for example) won’t match anything — because browsers don’t interpret the asterisk in 10.5.50.* as a wildcard.
Note: Access-Control-Allow-Origin values must include the protocol part; so http://10.5.50.3 is a valid value for the header, but 10.5.50.3 would not be.
Use Access-Control-Allow-Origin with just the domain part eg.: https://www.yourdomain.
NOTE: remove the last "/" char from the domain, or it will not work
This will resolve any issues with router's ip, or proxies, so just better use a domain name, also if someday you change the server (and changes the IP) then you will not need to worry about changing again all the CORS policies.
I'm on c# using
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "https://www.example.")