1

I would like to access an third party resource (on another domain) via XML HTTP Requests (XHR, AJAX).

I setup CORS as follows (on both sides - target and origin):

Access-Control-Allow-Origin: http://www.example.com, https://www.example.com, http://www.example.org, https://www.example.org
Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS

Chrome, Firefox and Internet Explorer reject the XHR to https://www.example.org/foo when calling it on http://www.example.com/bar.

Most detailed error message is from Firefox:

XMLHttpRequest cannot load https://www.example.org/foo. The 'Access-Control-Allow-Origin' header contains multiple values 'http://www.example.com, https://www.example.com, http://www.example.org, https://www.example.org', but only one is allowed. Origin 'http://www.example.com' is therefore not allowed access.

That error confuses me extremely. It's like "Hey, you are A and want to talk to B but B only accept A, B. So you cannot talk to B". WTF?

How to implement CORS (Access-Control-Allow-Origin) correctly?

burnersk
  • 2,748
  • 4
  • 24
  • 49
  • what server side language are you using for your resource? (the service that the ajax is calling) – Pete Nov 18 '14 at 14:21
  • @Pete: Both sides are just plain static HTML files. – burnersk Nov 18 '14 at 14:22
  • Ah, I had this problem with my MVC service and had to change my `Access-Control-Allow-Origin` to `*` for multiple domains and then just do the domain checking once processing the data but as yours is plain html I'm not sure how you would allow multiple domains – Pete Nov 18 '14 at 14:26
  • `Access-Control-Allow-Origin: *` is **not** supported by Firefox. Firefox requires Exact-Matches for origins. See: http://www.webdavsystem.com/ajax/programming/cross_origin_requests – burnersk Nov 18 '14 at 14:28
  • weird, seemed to solve my problem in all the browsers - but I was using some third party plugin so it maybe handled that behind the scenes – Pete Nov 18 '14 at 14:35
  • 3
    @Pete That site means that `Access-Control-Allow-Origin: *` is not supported in Firefox *when using* `Access-Control-Allow-Credentials: true` (which is [spec-required behavior](http://www.w3.org/TR/cors/#resource-requests)). It does not mean that `*` is generally disallowed as an allowed CORS origin by Firefox. (The site is about how to set up CORS for WebDAV in particular, which requires credentialed requests.) You may safely continue using `Access-Control-Allow-Origin: *` generally. – apsillers Nov 18 '14 at 15:00
  • I just realized that "but only one is allowed" in the error. The original error message was extremely long so I didn't saw it in the clutter. – burnersk Nov 18 '14 at 15:01

1 Answers1

3

Access-Control-Allow-Origin only accepts * or a single origin.

If you want to support multiple origins but not all of them, then you must:

  1. look at the Origin request header
  2. check if it is on your list of acceptable origins
  3. put it in the Access-Control-Allow-Origin response header
Quentin
  • 800,325
  • 104
  • 1,079
  • 1,205