Situation:
- I have a production web server, let's say , configured with CORS with limited set of allowed origins. The set does NOT include localhost origins.
- On localhost, developers develop a page/module/whatever that needs to call the production web server via AJAX (even during development). To do that, they run Chrome with CLI arguments --disable-web-security --user-data-dir=chromeNoCors so that Chrome would send AJAX without Origin header.
- The problem is that only GET requests are sent without the header. POST requests still contain the header, therefore the production server pares the header value (http://localhost:5678) with allowed set of origins and forbids access to requested resource.
Question: Is it possible to somehow prevent sending of Origin HTTP header altogether?
I'm aware that there's a workaround to solve this situation by allowing "localhost" (or some specific host that developers will have to add to their /etc/hosts) to the set of allowed origins on production server but I'd like not to do this if possible.
Situation:
- I have a production web server, let's say https://example., configured with CORS with limited set of allowed origins. The set does NOT include localhost origins.
- On localhost, developers develop a page/module/whatever that needs to call the production web server via AJAX (even during development). To do that, they run Chrome with CLI arguments --disable-web-security --user-data-dir=chromeNoCors so that Chrome would send AJAX without Origin header.
- The problem is that only GET requests are sent without the header. POST requests still contain the header, therefore the production server pares the header value (http://localhost:5678) with allowed set of origins and forbids access to requested resource.
Question: Is it possible to somehow prevent sending of Origin HTTP header altogether?
I'm aware that there's a workaround to solve this situation by allowing "localhost" (or some specific host that developers will have to add to their /etc/hosts) to the set of allowed origins on production server but I'd like not to do this if possible.
Share Improve this question edited Jun 4, 2017 at 20:04 Sachin Jain 21.9k34 gold badges110 silver badges176 bronze badges asked May 17, 2017 at 14:13 mareolanmareolan 1231 silver badge6 bronze badges 1- "On localhost, developers develop a page/module/whatever that needs to call the production web server via AJAX (even during development)" — Sounds like you are trying to hack around having an dev environment that isn't up to the job. You should fix that problem instead. – Quentin Commented May 17, 2017 at 14:39
2 Answers
Reset to default 3I remend that you setup a simple "proxy server" (short node.js or python script would suffice). Have this server forward all requests to your remote API server but delete the information about the origin in headers. This is a matter of simple regular expression.
This is simple solution that will be portable to different servers. On AJAX side, all you need is to change the hostname to localhost or IP of your testing proxy server.
if you guys use chrome try this extension https://chrome.google./webstore/detail/requestly-redirect-url-mo/mdnleldcmiljblolnjhpnblkcekpdkpa
you can modify requests on the fly,even headers