i'm trying to allow another host (a local host, like javascript.dev) to make a xhr to this host, it is an IIS7 and if i curl -I it, this is the headers:
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: PHP/5.3.28
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS
Access-Control-Max-Age: 1000
Access-Control-Allow-Headers: *
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2014 12:09:33 GMT
this is the headers for curl -v -X OPTIONS:
* About to connect() to www2.xxxxxxxxxxxx.br port 80 (#0)
* Trying 200.98.xxx.100...
* Connected to www2.xxxxxxxxxxxx.br (200.98.xxx.100) port 80 (#0)
> OPTIONS /jobs/xxxxxxx/user/ HTTP/1.1
> User-Agent: curl/7.30.0
> Host: www2.xxxxxxxxxxxx.br
> Accept: */*
>
< HTTP/1.1 200 OK
< Allow: OPTIONS, TRACE, GET, HEAD, POST
* Server Microsoft-IIS/7.0 is not blacklisted
< Server: Microsoft-IIS/7.0
< Public: OPTIONS, TRACE, GET, HEAD, POST
< X-Powered-By: ASP.NET
< Date: Fri, 20 Jun 2014 13:01:25 GMT
< Content-Length: 0
i used php to change the Access-Control-Allow-Origin, but when i do the xhr, with or without jquery, this is the error i'm getting:
XMLHttpRequest cannot load /.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin '' is therefore not allowed access.
to document, additional steps i made to solve:
i added code in the answer above to my web.config and get this error:
XMLHttpRequest cannot load .
Request header field Content-Type is not allowed by Access-Control-Allow-Headers.
because Access-Control-Allow-Headers don't accept wildcards *. to solve:
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
i'm trying to allow another host (a local host, like javascript.dev) to make a xhr to this host, it is an IIS7 and if i curl -I it, this is the headers:
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: PHP/5.3.28
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS
Access-Control-Max-Age: 1000
Access-Control-Allow-Headers: *
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2014 12:09:33 GMT
this is the headers for curl -v -X OPTIONS:
* About to connect() to www2.xxxxxxxxxxxx..br port 80 (#0)
* Trying 200.98.xxx.100...
* Connected to www2.xxxxxxxxxxxx..br (200.98.xxx.100) port 80 (#0)
> OPTIONS /jobs/xxxxxxx/user/ HTTP/1.1
> User-Agent: curl/7.30.0
> Host: www2.xxxxxxxxxxxx..br
> Accept: */*
>
< HTTP/1.1 200 OK
< Allow: OPTIONS, TRACE, GET, HEAD, POST
* Server Microsoft-IIS/7.0 is not blacklisted
< Server: Microsoft-IIS/7.0
< Public: OPTIONS, TRACE, GET, HEAD, POST
< X-Powered-By: ASP.NET
< Date: Fri, 20 Jun 2014 13:01:25 GMT
< Content-Length: 0
i used php to change the Access-Control-Allow-Origin, but when i do the xhr, with or without jquery, this is the error i'm getting:
XMLHttpRequest cannot load http://www2.xxxxxxxx..br/jobs/xxxxxx/user/.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://javascript.dev' is therefore not allowed access.
to document, additional steps i made to solve:
i added code in the answer above to my web.config and get this error:
XMLHttpRequest cannot load http://www2.madeinweb..br/jobs/eminhasaude/user.
Request header field Content-Type is not allowed by Access-Control-Allow-Headers.
because Access-Control-Allow-Headers don't accept wildcards *. to solve:
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
-
So when you send
OPTIONS /jobs/xxxxxx/user/it returns those headers as well? Presumably it does the the same for aPOSTto that address? What appears in the network tab of your browser's debug tools? – Dean Ward Commented Jun 20, 2014 at 12:31 - i added the headers for OPTIONS – Dreanmer Commented Jun 20, 2014 at 13:05
-
I think that might be your problem - browsers perform an OPTIONS request before they perform the actual operation. Your OPTIONS does not have
Access-Control-Allow-Origin. – Dean Ward Commented Jun 20, 2014 at 13:08 - ok, really think this is the problem, but i can handle the response to OPTIONS request with my php application? and if can't, how i can do this in IIS7? – Dreanmer Commented Jun 20, 2014 at 13:18
1 Answer
Reset to default 7Based upon ments it looks like you're missing the Access-Control-Allow-Origin header when an OPTIONS request is submitted. According to this article it should be a simple case of adding the following code to your PHP page...
<?php
header('Access-Control-Allow-Origin: *');
?>
If that still doesn't work then you should check the IIS handler mapping for PHP (see here) and make sure that OPTIONS is an allowed verb. Hopefully that does the job!
This article also indicates that you could skip modifying the PHP at all and simply add the following to your web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="*" />
<add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, OPTIONS" />
<add name="Access-Control-Max-Age" value="1000" />
</customHeaders>
</httpProtocol>
</system.webServer>
Be aware that this will open up the entire site rather than just one page...