I'm currently running two sites, one PHP based, one node.js based. The node.js version is the api so let's call it "api.com"
the php site ( php.com ) is the HTML/JS angular based visual site "php.com" that calls through to "api.com" using angular resource POSTs.
So all was good until recently I start gettting this error.
MLHttpRequest cannot load https://api.com/create.
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://php.com' is therefore not allowed access.
The response had HTTP status code 400.
So a few things to note. the api.com is from an https site where as php is http.
In the node.js restify api.com site, it is doing what I think is necessary for CORS support.
// Allow CORS since other sites may be calling this
server.use(
function crossOrigin(req,res,next){
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept" ); // was "X-Requested-With"
return next();
}
);
However it seems to still give the same CORS error. I'm new to this CORS stuff so not sure if it's the PHP server or Node server that needs to issue the header to allow this call to happen?
For sanity I tried adding to the php.com .htaccess file the following...
Header set Access-Control-Allow-Origin "*"
But again still no luck. Really confused as to what is happening and how to do this correctly. I'm pretty sure this is a simple error I'm making so any advice is greatly appreciated in explaining how
**browser (chrome) -> web server (php.com) -> api server (node.js) **
and which server(s) should be sending out the CORS headers