I am not getting response of api call using angular 4 service but same call working in browser i am facing below given error - Cross-Origin Read Blocking (CORB) blocked cross-origin response
I was having similar challenging in getting response as well. With mine, I was actually making an http get request with respect to Google OpenID Connect but maybe your use case might be different.
So this is how I fixed it. Upon sending an authentication request to Google, I used a wrong base URL though it was working alright in the browser. I changed the base url rather to https://accounts.google.com/.well-known/openid-configuration in my Angular 8 service layer. Maybe you can check it out.
Hope it helps :)
Related
So I started watching a tutorial on how to fetch data from a web api, and the first line of code that the instructor writes is this.
fetch('https://www.metaweather.com/api/location/2487956/')
He then explains that you can't fetch data from a website that isn't yours because of the same origin policy and uses a workaround which is using the crossorigin.me site. It works for him in the video, but doesn't work for me and it always gives me this error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.metaweather.com/api/location/2487956/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)
I've been looking for over an hour and I couldn't find a single solution. I'd really appreciate it if someone could help me out.
Or u can use a cors plugin for chrome and use it
From your question, using fetch() means that you are using either javascript or one of it's frameworks, if I may ask, which method are you using as your request method: POST or GET?
When calling the Marketo munchkin.js we are seeing intermittent XHR/CORS errors. This does not happen on every request it is very spotty. Getting into Heisenbug territory.
The specific response from Firefox was:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at XYZ.mktoresp.com/webevents/visitWebPage?XYZ
This can be fixed by moving the resource to the same domain or enabling CORS.
Marketo has informed us that we need to enable CORS on our server for their domain, which we did and we are still seeing issue. The confusing thing is these are GET requests which are allowed without CORS. These are not POST methods, they either specifically call Marketos munchkin.js tracking function visitWebPage (GET), which return in the response a tracking pixel 1x1 png.
The confusing part is we made no server configuration changes on any of our environments, this was confirmed by our SCM. We are seeing this issue on multiple sites on different platforms/hosts. We have also tested the simple munchkin.js calls and the jQuery.ajax calls.
If anyone else in the community is seeing this please let me know.
I am the developer for Munchkin.js at Marketo Inc.
The CORS errors reported by Firebug do not interfere with any Munchkin/Page functionality. They are caused by an optimization in the current version of munchkin which tries to release the XHR connection as soon as it has reported the page activity to Marketo. Firebug mis-reports this as a CORS error. Other browsers correctly report this as cancelled.
We currently planning to remove the optimization in a future release since a lot of customers seem concerned by both the CORS and cancelled messages.
I'm trying to process onedrive files in client-side javascript, but first I need a way to use XMLHttpRequest to download the file. Onedrive supports cors for a lot of operations, but for downloading the file into javascript there is the following problem:
As mentioned here: onedrive rest api manual
I can send a request to:
GET https://apis.live.net/v5.0/FILE_ID/content?access_token=ACCESS_TOKEN
and it will reply with a location header redirecting the browser to the file. The problem is when I send these requests through XHR, the browser always sends the Origin header with the request. For the first request I described above, onedrive also replies with an Access-Control-Allow-Origin:* header, so the request is allowed in the browser. However, when the browser is redirected to the actual location of the file, that resource does not have the Access-Control-Allow-Origin header, so the XHR request is denied by the browser(chrome sends an Origin header set to null for the redirect request).
I've also tried getting the location but not redirecting automatically, and then sending another XHR request, this will set the origin header to the domain of my site, but the result is the same.
As I mentioned in the beginning, I need to process the data in javascript, so I'm not asking about how to download onedrive files to hard drive. I need the data to be accessible by javascript in the webpage.
I know that I can use server side programming to get the file data for me and then send it to the client, but for my application this is not an option(at least this is not what I'm asking for at the moment).
If there is no way to do this, does anyone have an idea why they would implement their api this way? To allow javascript to get the location through cors and redirect but not include a cors header for the redirected resource. Why not just deny cors in the first place? Is this a bug?
The answer, as best as I can tell, is that downloading content cannot be done purely by JavaScript in a browser. Why did they do it this way? You'd have to ask them, but I would guess either a bug, or some unspecified "security concerns". For what it's worth, they seem to think that downloading content is CORS compliant in the documentation here: https://dev.onedrive.com/misc/working-with-cors.htm:
To download files from OneDrive in a JavaScript app you cannot use the
/content API, since this responds with a 302 redirect. A 302 redirect
is explicitly prohibited when a CORS preflight is required, such as
when providing the Authorization header.
Instead, your app needs to select the #content.downloadUrl property,
which returns the same URL that /content would have redirected to.
This URL can then be requested directly using XMLHttpRequest. Because
these URLs are pre-authenticated they can be retrieved without a CORS
preflight request.
However, to the best of my knowledge, they are wrong. Just because you don't need a preflight request doesn't mean that the response is CORS-compliant. You still need an Access-Control-Allow-Origin header on the response.
For anyone wondering, this is still an issue in the new Graph API (which is essentially a proxy API to the OneDrive API, as I understand it). The same basic issue is still present - you can get a download URL from your items, but that URL points to a non-CORS-compliant resource, so it doesn't do you a whole lot of good.
I have an active issue open with Microsoft here about this issue. There has been some response to my issue (I got them to expose the download URL through the graph API), but I'm still waiting to see if they'll come up with a real solution to downloading content from JavaScript.
If I get a solution or real answer on that issue, I'll try to report back here so others in the future can have a real answer to reference.
This is not an answer, I cannot comment yet.
Last week the new API for onedrive was released. http://onedrive.github.io/index.htm
Unfortunately it will not solve the problem.
https://api.onedrive.com/v1.0/drive/root:{path and name}:/content?access_token={token}
Will still redirect to a ressource somewhere at https://X.files.1drv.com/.X.
Which will not contain any Access-Control-Allow-Origin headers. Same goes for the Url "#content.downloadUrl" in the JSON response.
I hope that microsoft will address this problem in the very near future, because the API is at the moment of very limited use, since you cannot process file contents from onedrive with html5 apps. Apart from the usual file browser.
The only solution, which I see at the moment would be a chrome app, which can process the Url without CORS. see https://developer.chrome.com/apps/angular_framework
Box does exactly the same thing for download requests. I have not found any way around this problem without involving a server because the browser will not let your program get access to the contents of the 302 redirect response. For security reasons I am not convinced of, browsers mandatorily follow redirect requests without allowing user intervention.
The way we finally worked around this was
the browser app sends the GET request to the server which forwards it to the cloud provider (box/ondrive).
server then DOES NOT follow the 302 redirect response from Box or OneDrive
The server instead returns to the browser app, the content of the location field in the 302 response header, which contains the download url
The javascript in the browser app then downloads the file using the url.
You can now just use the "#content.downloadUrl" property of the item in your GET request. Then there is no redirection.
From https://dev.onedrive.com/items/download.htm:
Returns a 302 Found response redirecting to a pre-authenticated download URL for the file. This is the same URL available through the #content.downloadUrl property on an item.
I spent the last 3 days studying how to make a cross domain request using XMLHttpRequest. The best alternative is indeed with JSONP which I am already using.
But I still have a question that I could not find answer nowhere. I read hundreds of posts (including SOs) and nobody has a good liable answer (with nice reference). Hope someone here can help.
Said that, I read in many websites that due to security reasons I cannot make an Ajax request from domain example.com to yyy.com and get the data I want. It's very clear and I have no question about that. BUT the problem is when I run the code below in my localhost (so my domain is "localhost" and I should not me able to request any data from another domain).
xhReq = new XMLHttpRequest();
xhReq.open("GET","http://domain.com.br?parameter",true);
xhReq.send(null);
When I inspect the Firebug Net Tab I realize that the request was not blocked! It was clearly requested. I could not believe. So I created a file in the domain.com.br/log.php where I could log any request that hit my domain. Surprisingly all the requests I was firing localhost were hitting my domain.com.br. When I tried to fetch the response I really could not get it due the same origin policy of my Chrome and FIrebug browser. But I was reallyl surprised that the request really hit the webserver despite I could no manipulate the responde.
More surprisingly is that if domain.com.br/log.php generates a huge responde with like 1MB my firebug showed me that the browser does download ALL th 1MB from the webserver, and at the end it shows a message "Access denied" as expected. So why download all the file if the same origin policy forbids that data to be read.
Finally, I makes me amazed, is that all the websites and specifications I read says very CLEAR that the request is blocked using Ajax when the target domain does not match the source domain. But clearly, with my experiment, the requests are being completed, despite I cannot have access to the response data.
What makes me upset is that it could be open a BIG security hole, in which a website with thousands of views everyday could run this 3 line code and cause a HUGE Ddos attack in an unfriendly website just making the users request a page in another website in small intervals since the browser will not block the request.
I tested this script in IE 7, 8 and 9 and Chrome latest and Firefox latest and the behaviour is the same: the request is done and the browser downloads all the response while not making it avaiblable to do SOP.
Hope someone can explain me why the specs are so wrong about it or what I am understanding wrong!
The request can be made, and the server may generate a response, regardless of CORS. However, the response may be hidden. balpha wrote about this in his blog recently:
Note that the same origin policy doesn't necessarily prevent the request per se – it just prevents the response from being accessible. A malicious site can e.g. just redirect your browser, or submit a form, or include an image or an iframe – in all those cases a request is made to your site; the evil site just doesn't see the response.
To some extent, the browser has to make a request to the server to see if it servers an "Access-Control-Allow-Origin" header. Remember that CORS is completely implemented by the browser. Someone could just write a console application to make a request to your server, so you shouldn't rely on CORS to make sure requests are only coming from your own site.
You can achieve the same effect (like a dos attack you said) with a simple image file, it does not necessarily need to be XHR. Link an image file from a different website, put millions of it in your page, display it to your users and boom.
I had a read of what same origin policy means on Wikipedia however fail to understand how it works. I do understand that it prevents for example a javascript on my website from interacting with a script on a separate site however what does this exactly mean?
If your script (JS) tries to perform some HTTP request to the site other than the one it originated from via XMLHttpRequest, the request will fail, return status code will be 0 and error message - null.
That's how it worked originally.
Right now there is a Cross-Origin Resource Sharing (CORS) specification, which is more or less supported by most modern browsers. It allows to do such requests, but with strict limitations.
it means if you load
http://www.stackoverflow.com/
and your browser loads javascript, then that javascript cannot access a url that doesn't come from that page. There are a lot of details, for example, you could not access
https://www.stackoverflow.com
but an ajax request could access
http://www.stackoverflow.com/something/something
The browser itself would not allow the request to be fired.
EDIT -- This might be helfpul: http://www.google.com/support/forum/p/Chrome/thread?tid=171316324d16747b&hl=en