0

Getting "Access-Control-Allow-Origin" error while calling https url of the same site via javascript from page of the same site with http.

The site root url is set at the .cshtml file to use absolute path. When the page is cached and opened again, the site url shows as http while the root url remains https since it's cached and causes this "Access-Control-Allow-Origin" error.

I am able to fix the issue by setting "Access-Control-Allow-Origin" to "*" on the action method.

But this means it will allow for all domains, i want to allow it for my application or domain only.

How can i set it programmatically, so it will work across all environments?

Is there any other better way to set the site root url which will use absolute path?

Satyajit
  • 1,672
  • 1
  • 11
  • 26
  • `https://domainX.com` and `http://domainX.com` are considered different as per Same Origin Policy. – Chintan May 16 '16 at 10:48
  • I think you can configure IIS to allow certain domains. Also you should be able to add the configuration in `web.config`. – Chintan May 16 '16 at 11:07
  • Yes, searched about "configure IIS to allow certain domains" but did not get much, only wild card and a domain are supported i guess – Satyajit May 16 '16 at 12:22
  • Yes, it doesn't seem to be possible in IIS. Weird. Only workarounds seem to be available. – Chintan May 16 '16 at 14:20

2 Answers2

1

what you are looking for is called CORS (cross-origin resource sharing, http://enable-cors.org/, https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS)

You do not have to use a wildcard on that header, you can set only a specific domain and even limit HTTP methods if you want to.

Access-Control-Allow-Origin: http://domain1.com

# if you want to, you can limit the methods too
Access-Control-Allow-Methods: GET, POST

As a general rule of thumb open your system only as much as you need to and try to keep the configuration as "tight" as possible.

Tadas Paplauskas
  • 1,643
  • 7
  • 14
  • that's right but is Access-Control-Allow-Origin: http://domain1.com will allow both http://domain1.com and https://domain1.com? here issue is with https call from http url of the same domain. – Satyajit May 16 '16 at 09:30
  • Access-Control-Allow-Origin only accepts a wildcard, null or the exact domain. However, you can do some checks in your server-side application or htaccess script and specify the exact domain you need in that case. You can play with something like this: http://stackoverflow.com/questions/14003332/access-control-allow-origin-wildcard-subdomains-ports-and-protocols/27990162#27990162 http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains/1850482#1850482 same in php: http://stackoverflow.com/a/7454204/5133030 – Tadas Paplauskas May 16 '16 at 10:00
  • ok, thanks for the information, then it looks like there is no direct solution for this. Let's see what others say – Satyajit May 16 '16 at 10:44
0

You can cache a condition which test the protocol and then change the URL dynamically.

for example:

if (location.protocol == "https:") {
    url = "https://....";
} else {
    url = "http://....";
}

// your AJAX call goes here

More info about location protocol here.

pcavalet
  • 71
  • 11
  • this can be done but this extra step will be needed to be done in each method. If no other good solution found, will use it :) – Satyajit May 16 '16 at 09:33
  • You can do it differently if you find it more elegant like `url = location.protocol + "//www.myurl.com/mything/";`, but you still have to do it in each URL variable, yes. If you don't put dynamic in your URL, it will just stay static :) – pcavalet May 16 '16 at 09:43