Reputation: 5022
ajax CORS issue of with a Access-Control-Allow-Origin regexp value
Hy,
I've this error when I do a request ajax to another domain:
XMLHttpRequest cannot load http://rec.something.fr/services/data.
The 'Access-Control-Allow-Origin' header contains the invalid value '*.something.fr'.
Origin 'http://local.something.fr' is therefore not allowed access
I don't understand if the 'Access-Control-Allow-Origin' header can use or not a regexp expression. Some sources said it can, other said it cannot.
The big issue is that it's another society who is in charge of the http://rec.something.fr. Before I call them, I want to be sure that the issue is on their server, and not that's something on my code who is missing.
my code:(Origin = http://local.something.fr)
$.ajax({
url: "http://rec.something.fr/services/data",
crossDomain: true,
dataType: "json" })
the content of the called Services is a Json:
[{data:myData}]
If I use the CORS chrome plugin who catch the response and replace Access-Control-Allow-Origin: *.something.fr by Access-Control-Allow-Origin: *, It will work.
I cannot use JSONP because this would require updating the rec.something.fr server
Any Idea?
Upvotes: 2
Views: 1934
Answers (1)
Reputation: 87984
Access-Control-Allow-Origin values can’t be regular expressions or any other kind of pattern. They must either exactly match the request Origin header, or be null, or be a single literal *.
See also the accepted answer to the question Access-Control-Allow-Origin wildcard subdomains, ports and protocols and the first comment for the question Using a regular expression with CORS.
So there’s no fix you can make on your side to work around this. The http://rec.something.fr maintainers just need to fix the broken Access-Control-Allow-Origin header they’re sending.
I don't understand if the 'Access-Control-Allow-Origin' header can use or not a regexp expression. Some sources said it can, other said it cannot.
It definitely cannot. The current authoritative source for the Access-Control-Allow-Origin valid syntax is the ABNF production for it in the “HTTP new-header syntax” section of the Fetch spec:
Access-Control-Allow-Origin = origin-or-null / "*"
For a good secondary source, see the “Handling a simple request” section of the Using CORS article at HTML5 Rocks, which states it this way:
The value of the header can either echo the Origin request header, or be a
'*'to allow requests from any origin.
So if you want to try to help the http://rec.something.fr maintainers correct their server config, you can suggest to them that they should change the code in their server logic to do the following:
- for requests from origins matching
*.something.fr, sendAccess-Control-Allow-Originback with a value that’s exactly the same as the value of the requestOriginheader - otherwise, for requests from origins that do not match
*.something.fr, then just don’t send backAccess-Control-Allow-Originat all
Upvotes: 2
Related Questions
- How does the 'Access-Control-Allow-Origin' header work?
- Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
- Access-Control-Allow-Origin Multiple Origin Domains?
- API Gateway CORS: no 'Access-Control-Allow-Origin' header
- No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
- CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
- “Origin null is not allowed by Access-Control-Allow-Origin” error for request made by application running from a file:// URL
- No 'Access-Control-Allow-Origin' - Node / Apache Port Issue
- Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header
- Origin is not allowed by Access-Control-Allow-Origin