Doing a javascript only assignment, i was provided an ubuntu machine and would like to spin up a container with a nodejs Serving the HTML, css, javascript. Then i would like another container with the backend API...since this all happening in the same server or IP , Is that posible no cross Origin calls????
See the Same-origin policy:
Two URLs have the same origin if the protocol, port (if specified), and host are the same for both.
You can't have two different services listening on the same port, so even if your static content and API servers shared an IP address, they would have to run on different ports.
So you would either need to configure CORS for the API server, or configure your static content server to proxy requests to the API server.
You would need to provide the correct CORS settings on your backend API; CORS does take into account port numbers. See this post for reference: CORS error on same domain?
Related
I have a small web application that needs to make calls to a device on my local network. It does this using fetch to the local IP address of the device (e.g. http://192.168.1.25:8060). The device does not serve its traffic over HTTPS and cannot. The web application is public facing and I would like to add a service worker for offline support.
Service workers require HTTPS, and calls from an HTTPS origin to a non-HTTPS origin are a security risk and so are not allowed by modern browsers. Without using a local proxy (which would defeat the purpose), is there some way around this "limitation"?
How can "https://example.com" make a call to http://192.168.1.25:8060?
Possible duplicate of How can I allow Mixed contents (http with https) using content-security-policy meta tag?. Browsers won't allow this because it breaks the user trust model.
A local HTTPS proxy is ideal. Configure a public DNS entry like internal.example.com with a low TTL (if your internal IP changes often) to point to your internal IP. Create a trusted SSL cert for that subdomain, then run your local HTTPS proxy with that SSL cert. If your internal server is behind a firewall, point internal.example.com to a public web server first, create the cert on that public server, than copy the cert and change the DNS to your local server. Or use a wildcard cert *.example.com to avoid that "temporary public" hassle entirely.
I have a web method that I want to call from my C# app and was provided with a Javascript example, showing how to call the method. I have established that running the Javascript from my desktop runs into CORS problems - i was able to run the sample when I put the javascript on the server and ran it from the same folder as the web method.
Will my C# app run into the same CORS issue? or will it be ok because only the browsers have the built in CORS security?
--Edit--
I've been using System.Net.Http.HttpClient and http://restsharp.org/
Am I correct in assuming that these two objects are wrappers around a web browser? and that they will have issues with CORS?
I really don't want to have to write Sockets code.
Due to security reasons browsers restrict cross-origin HTTP requests initiated from within scripts on the browser. For example, XMLHttpRequest follows the same-origin policy. That means a web application using XMLHttpRequest could only make HTTP requests to its own domain. This prevents application from being vulnerable to CSRF attacks. However, there are cases when applications need to access resources from different domain. This is when CORS comes into play to allow cross-domain requests.
Having said all that, your C# app should be able to call the WEB API without any CORS issues as long as it's a socket to socket communication (not via browser).
Some where in deep recess of my mind I remember browser related cors will always be blocked unless noted or changed like for example if you're in chrome and have the cors extension allow browser cors control, but on the server side, their is nothing preventing servers from interacting with one another.
but it depends on what is allowed on the headers
I'll try to produce some documentation that confirms that.
https://spring.io/understanding/CORS
The request includes an Origin header that indicates the origin of the client code.
The server will consider the request's Origin and either allow or disallow the request. If the server allows the request, then it will respond with the requested resource and an Access-Control-Allow-Origin header in the response. This header will indicate to the client which client origins will be allowed to access the resource. Assuming that the Access-Control-Allow-Origin header matches the request's Origin, the browser will allow the request.
On the other hand, if Access-Control-Allow-Origin is missing in the response or if it doesn't match the request's Origin, the browser will disallow the request.
I've setup a remote, hosted javascript server (DreamFactory Server http://www.dreamfactory.com/) that responds via REST API's.
Locally, I'm running an Angularjs application through the grunt web server via $grunt serve
https://www.npmjs.com/package/grunt-serve
I have setup CORS on the remote server to allow '*' for multiple http:// connection types. THIS WORKS CORRECTLY.
My question is how I can limit the CORS configuration to only allow a connection from my home, grunt web server?
I've tried to create an entry for "localhost", "127.0.0.1", also my home Internet IP that is reported from whatismyip.com, the dns entry that my provider lists for my home IP when I ping it, a dyndns entry that I create for my home internet IP... None of them work, except for '*' (which allows any site to connect).
I think it is an educational issue for me to understand what that CORS entry should look like to allow ONLY a connection from my home web server.
Is this possible? If so, what and where should I be checking in order to find the correct entry to clear in the CORS configuration?
-Brian
To work and actually apply restrictions, the client requesting the connection must support and enforce CORS. In an odd sort of way (from a security point of view), restricting access using CORS requires a self-policing client (one that follows the prescribed access rules). This works for modern browsers as they all follow the rules so it generally works for applications that are served through a browser.
But, CORS access restrictions do not prevent other types of clients (such as any random script in any language) from accessing your API.
In other words, CORS is really about access rules from web pages that are enforced by the local browser. It doesn't sound like your grunt/angular code would necessarily be something that implements and enforces CORS.
If you really want to prevent other systems from accessing your DreamFactory Server, then you will need to implement some server-side access restrictions in the API server itself.
If you just have one client accessing it and that client is using "protected" code that is not public, then you could just implement a password or some sort of logon credentials and your one client would be the only client that would have the logon credentials.
If the access is always from one particular fixed IP address, you could refuse connections on your server from any IP address that was not in a config file you maintained.
You can't secure an API with CORS, for that you will need to implement an authentication scheme on your server. There's essentially 4 steps to do this.
Update the headers your server sends with a few additional Access-control statements.
Tell Angular to allow cross-domain requests.
Pass credentials in your API calls from Angular.
Implement an HTTP Authentication scheme on your web server or in your API code.
This post by Georgi Naumov is a good place to look for details of an implementation in Angular and PHP.
AngularJS $http, CORS and http authentication
We have a set of api that we're calling from the same machine, the address is mycompany.com:8080 for the server and mycompany.com for the ajax.html file.
How can we avoid the cross domain policy?
Anyway to do this with some proxy configuration?
please, no JSONP!
Thanks!
Two or more documents can be considered in same domain origin, if they have on
- Same Host
- Same Port
- Same Protocol.
In your case port is different so you can not put ajax query directly. Instead you need to specify following header in response.
Access-Control-Allow-Origin: mycompany.com
For more info, check this
You ask if this can be done with a proxy configuration, and of course that's one simple solution, just have the main server proxy requests to the AJAX server. It's usually simple to set up. But the Same Origin Policy means that you won't be able to do this with a pure client-side solution.
I have 2 applications running on the same machine:
node.js app running on port 15000
a full javascript application running on port 15001
Both are served through nginx front end (each app defined as a virtual host)
Ajax requests from the javascript app (requesting resources from the node.js app) are not working.
Is this linked to restriction of Ajax for cross domain ? The domain is the same (only the port are differents).
Any idea ?
Different ports are seen as a different domains.
MDC Same Origin Policy
Yes, limiting requests on same domain to different port
Same origin policy
https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript
http://en.wikipedia.org/wiki/Same_origin_policy