CORS not working php

Question

I am trying to post form data from www.siteone.com to www.sitetwo.com via CORS. My ajax code is this:

<script>
$(document).ready(function(){
        $("#submit").live('click',function() {
            var url = "http://www.sitetwo.com/cors.php";
            var data = $('#form').serialize();
            jQuery.ajax({
                url : url,
                type: "POST",
                data : $('#form').serialize(),
                }).done(function(response){
                    alert(response);
                    }).fail(function(error){
                    console.log(error.statusText);
                    });
                return false;


});
});
</script>

and the file cors.php in www.sitetwo.com is as follows:

<?php
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
 echo "hai";
?>

But still Access-control-Allow-Origin error is thrown. The error thrown is this:

XMLHttpRequest cannot load http://www.sitetwo.com/cors.php. Origin http://www.siteone.com is not allowed by Access-Control-Allow-Origin.

I came to know that, using CORS by just allowing the remote website via headers, we can use cross-domain request. But when I tried like this, error is thrown. Have I missed anything in here? Here is my request/response headers:

Response Headers
Connection  Keep-Alive
Content-Length  487
Content-Type    text/html; charset=iso-8859-1
Date    Fri, 23 Aug 2013 05:53:20 GMT
Keep-Alive  timeout=15, max=99
Server  Apache/2.2.15 (CentOS)
WWW-Authenticate    Basic realm="Site two Server - Restricted Area"
Request Headers
Accept  */*
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Content-Length  43
Content-Type    application/x-www-form-urlencoded; charset=UTF-8
Host    www.sitetwo.com
Origin  http://www.siteone.com
Referer http://www.siteone.com/index.html
User-Agent  Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0

What value does `$_SERVER['HTTP_ORIGIN']` have? What value do you think it should have? Note that [`HTTP_ORIGIN` isn't mentioned in the documentation for `$_SERVER`](http://www.php.net/manual/en/reserved.variables.server.php) — Quentin, Aug 22 '13 at 14:10
I even tried header('Access-Control-Allow-Origin: *'); header('Access-Control-Allow-Methods: POST, GET, OPTIONS'); but it didn't worked. — Ganesh Babu, Aug 22 '13 at 14:11
1.) I have no idea what specific issue you are having. You will need to clarify that. 2.) As always, with these types of questions, show your request and response headers. — Ray Nicholus, Aug 22 '13 at 14:18
@RayNicholus I have now edited the question and shown error that I have encountered. — Ganesh Babu, Aug 22 '13 at 14:27
`$=jQuery.noConflict()` just looks wrong. You're telling jQuery to revert `$` back to it's original value, and then setting it back to jQuery. seems kinda pointless. — Kevin B, Aug 22 '13 at 14:28
@KevinB I have removed it now. But still the error is thrown. — Ganesh Babu, Aug 22 '13 at 14:30
@Ganesh We could probably help you out a lot quicker if you would simply post the request/response headers as requested (several times). Most likely, the problem is due to the fact that jQuery will send an X header (X-Requested-With) along with all requests by default unless you set the `crossDomain` option. The fact that your server isn't acknowledging this X header in a Access-Control-Allow-Headers response header is likely the problem. — Ray Nicholus, Aug 22 '13 at 14:46
@RayNicholus Regret me... Actually I cannot understand what u mean by request/response headers. Are you asking about the response headers from browser?? — Ganesh Babu, Aug 22 '13 at 14:53
It's really hard to read all of that. Why didn't you just edit your question? I'm also fairly sure that you're leaving out some headers, as an X-Requested-With header should also be present in the request. — Ray Nicholus, Aug 22 '13 at 15:08
@RayNicholus very sorry for the delay. Here is the request/response header added in question — Ganesh Babu, Aug 23 '13 at 05:58

score 107 · Accepted Answer · edited May 23 '17 at 12:00

107

Finally, I myself have solved the problem explained in the question. The code that I have implemented for accessing header is incorrect.

The below mentioned two line code, when given, didn't work:

<?php
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
?>

But handling CORS requests properly is a tad more involved. Here is a function that will respond more fully. The updated code is this :

 <?php
    // Allow from any origin
    if (isset($_SERVER['HTTP_ORIGIN'])) {
        header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
        header('Access-Control-Allow-Credentials: true');
        header('Access-Control-Max-Age: 86400');    // cache for 1 day
    }

    // Access-Control headers are received during OPTIONS requests
    if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {

        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
            header("Access-Control-Allow-Methods: GET, POST, OPTIONS");         

        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
            header("Access-Control-Allow-Headers:        {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");

        exit(0);
    }

    echo "You have CORS!";
?>

I have found from another post It worked....

edited May 23 '17 at 12:00

Community

1
1

answered Aug 23 '13 at 09:44

Ganesh Babu

3,590
11
34
67

2

I'd wager it's because `Access-Control-Allow-Origin: *` is wonderfully, beautifully, fantastically insecure – Bojangles Sep 24 '13 at 12:24
9

I agree that "Access-Control-Allow-Origin: *" is insecure but it is important to verify functionality first before locking things down. Everyone please lock down Access-Control-Allow-Origin after you get things up and running! :) – derezz Feb 11 '14 at 00:36
I have had issues with firefox using Access-Control-Allow-Origin: * It seems like FF wants the actual origin in the resoponse header not a wildcard, even though CORS, and Mozilla state that it should work on GET requests. – Karl Feb 12 '14 at 17:33
@duskstriker how to lock it down? so I can actually specific domains? is this the only way? http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains or there is better way to just config that header? – ey dee ey em Aug 18 '16 at 23:11
@GaneshBabu While this solution works, it should be noted that not all browsers support the $_SERVER[HTTP_ORIGIN] and also it may not work in some specific requests. Here is an answer that adheres to W3C recommendations: http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains – padawanTony Sep 15 '16 at 11:23
Voted down because most important comment was not copied from original post: "Decide if the origin in $_SERVER['HTTP_ORIGIN'] is one you want to allow, and if so...". Like this it does the same as `Access-Control-Allow-Origin: *` – Fabian Horlacher Feb 15 '19 at 10:52
this code work for me, and others answer not, why? Thaks. – Roger Sep 22 '19 at 03:18

user4173455 · Answer 2 · 2019-11-27T08:34:41.280

7

To allow CORS for all:

<?php
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept');

echo "You have CORS!";

edited Nov 27 '19 at 08:34

answered Nov 21 '19 at 10:59

user4173455

89
1
4

score 3 · Answer 3 · answered May 25 '19 at 22:01

3

Another reason is if you're missing a semicolon or something anywhere in your php, that CORS error message will be the only error that is displayed by the ajax, even if error reporting is on, while you can see the actual error by going to the php url in your browser.

answered May 25 '19 at 22:01

Curtis

2,486
5
40
44

Thank you so much! Don't know why but I kept missing the log in the server error file regarding a missing ")" in my PHP code, and I kept getting that CORS error in the console. – yenren Oct 19 '19 at 08:17

score 0 · Answer 4 · answered Jul 14 '21 at 21:57

0

Another reason a request might fail is whether your request is directed at a URL that ends with or without a trailing slash. For example in my case I had to target domain.com/api/ because domain.com/api (no slash) was not valid and generated a missing header error.

If you test this URL in the browser, it gets automatically corrected and you'll think the URL is valid, but the request will fail. Very subtle and easy to overlook this one slash at the end.

answered Jul 14 '21 at 21:57

Justin Reinhart

11
2

1

Speculation: It probably has to do with something in my htaccess that is being added by a plugin, forcing trailing slashes, which apparently the JavaScript cannot make up for. – Justin Reinhart Jul 14 '21 at 22:02

CORS not working php

4 Answers4

Linked