I added https://unpkg.com/htmx.org#1.3.3/dist/htmx.min.js.gz to my jsfiddle, but now I get:
CORB: Cross-Origin Read Blocking
Is there a way to work around this?
JSFiddle: https://jsfiddle.net/thomas_guettler/7cLy8m5u/3/
Code:
<button
hx-get="https://raw.githubusercontent.com/guettli/html-fragments/main/fragments/simple-div.html">
Press me
</button>
If I use this URL: https://unpkg.com/htmx.org#1.3.3/dist/htmx.min.js
then I get
Access to XMLHttpRequest at 'https://raw.githubusercontent.com/guettli/html-fragments/main/fragments/simple-div.html' from origin 'https://fiddle.jshell.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
I found a work-around.
If I use a mocky endpoint, then it works.
For example: https://run.mocky.io/v3/6f4b9b4c-4ac9-44e0-89fa-da7d222346df
I guess this http header in the response of github makes the browser reject the snippet:
Referrer Policy: strict-origin-when-cross-origin
Related
I am trying to consume a payment gateway API, with react, I am using useParams() and I get the following cors error how can I solve it?
"Access to XMLHttpRequest at 'https://khipu.com/api/2.0/payments' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status."
I tried to put a proxy in the package.json, but it did not work, I am in a development environment.
Did you check this other answer?
I think you may need to use the
'Access-Control-Allow-Origin': '*',
I hope this helps :D
I am trying to make a request to ping my backend api with XMLHttpRequest.
Following is my code
var r = new XMLHttpRequest();
r.open("POST", 'domain:port/path/');
r.setRequestHeader("Access-Control-Allow-Origin", '*');
r.setRequestHeader("Accept", 'application/json ');
var data = {"key":"value"};
r.send(data);
But I always accept the following error message
Access to XMLHttpRequest at 'domain:port/path/' from origin
'http://localhost:8000' has been blocked by CORS policy: Response to
preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
Firstly; I think that's because I didn't set "Access-Control-Allow-Origin". But even I set it, it's not working.
How can I solve my problem?
Thanks.
From MDN
The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin
it is a response header, you need to set Access-Control-Allow-Origin on your server-side code
Access-Control-Allow-Origin is a response header, not a request header.
Your server decides what origins are allowed to access it. If it were that easy to bypass, would it really be a security measure? :-)
If what you truly want is for that endpoint to allow any domain to access it, then you have to add the header, there.
Json issues with javascript and jquery.
Trying to load some JSON using javascript.
I have it working using:
See it here: http://jsfiddle.net/5pjha/789/
var url = "http://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&sensor=true";
$.getJSON(url, function (json) {
alert(JSON.stringify(json.results));
});
But it dosnt work on the following urls, why is this?
https://poloniex.com/public?command=return24hVolume
https://bittrex.com/api/v1/public/getmarkets
https://api.mintpal.com/v1/market/summary/
Are the following urls not correct JSON ?
Thanks
The google's api set the Access-Control-Allow-Origin header to *, so you could access it by cross domain.
While other urls you provided do not, so you will got an error like below:
XMLHttpRequest cannot load https://api.mintpal.com/v1/market/summary/.
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://fiddle.jshell.net' is therefore not allowed
access.
I believe the issue is down to whether or not the servers you are requesting your JSON from have cross-origin resource sharing (CORS) enabled.
you can see in the headers from the google service that they set Access-Control-Allow-Origin:* This is not the case for teh other URL's you list.
To get around this you will need some form of proxy so that you can request from a server either on the same domain or a server that enables CORS.
For ajax request to any server, You need to define Access-Control-Allow-Origin header for client. which is absent in given. You need to define origin of XMLHttp request in server who can request.
For more info refer this link
I have seen this problem quite a few times and it pops up time and again. This is a CORS(i.e. Cross origin request issue).The exact error I got this time is as follows:
XMLHttpRequest cannot load
https://myURL/myappdomain.subdomain.qual1/$count. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 401.
Following are the possible solutions I have worked out in past. But they dont always work. They are URL specific solutions:
1) Having CORS plugin on chrome installed
2) Disabling web security from command line "--disable-web-security"
3) using 'jsonp' as format instead of 'json'
4) toggling cross-origin to "true" or "false".
Questions I need answer for
1) Why do we get this error? Is it something that the Server is imposing on the client pages?
2) What is the safest way to solve this? i.e. The method in which there is not security vulnerability and a reliable method.
3) Why cors is never an issue for API calls made from within nodeJS code?
Json issues with javascript and jquery.
Trying to load some JSON using javascript.
I have it working using:
See it here: http://jsfiddle.net/5pjha/789/
var url = "http://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&sensor=true";
$.getJSON(url, function (json) {
alert(JSON.stringify(json.results));
});
But it dosnt work on the following urls, why is this?
https://poloniex.com/public?command=return24hVolume
https://bittrex.com/api/v1/public/getmarkets
https://api.mintpal.com/v1/market/summary/
Are the following urls not correct JSON ?
Thanks
The google's api set the Access-Control-Allow-Origin header to *, so you could access it by cross domain.
While other urls you provided do not, so you will got an error like below:
XMLHttpRequest cannot load https://api.mintpal.com/v1/market/summary/.
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://fiddle.jshell.net' is therefore not allowed
access.
I believe the issue is down to whether or not the servers you are requesting your JSON from have cross-origin resource sharing (CORS) enabled.
you can see in the headers from the google service that they set Access-Control-Allow-Origin:* This is not the case for teh other URL's you list.
To get around this you will need some form of proxy so that you can request from a server either on the same domain or a server that enables CORS.
For ajax request to any server, You need to define Access-Control-Allow-Origin header for client. which is absent in given. You need to define origin of XMLHttp request in server who can request.
For more info refer this link