I have 2 applications running on the same machine:
node.js app running on port 15000
a full javascript application running on port 15001
Both are served through nginx front end (each app defined as a virtual host)
Ajax requests from the javascript app (requesting resources from the node.js app) are not working.
Is this linked to restriction of Ajax for cross domain ? The domain is the same (only the port are differents).
Any idea ?
Different ports are seen as a different domains.
MDC Same Origin Policy
Yes, limiting requests on same domain to different port
Same origin policy
https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript
http://en.wikipedia.org/wiki/Same_origin_policy
Related
Doing a javascript only assignment, i was provided an ubuntu machine and would like to spin up a container with a nodejs Serving the HTML, css, javascript. Then i would like another container with the backend API...since this all happening in the same server or IP , Is that posible no cross Origin calls????
See the Same-origin policy:
Two URLs have the same origin if the protocol, port (if specified), and host are the same for both.
You can't have two different services listening on the same port, so even if your static content and API servers shared an IP address, they would have to run on different ports.
So you would either need to configure CORS for the API server, or configure your static content server to proxy requests to the API server.
You would need to provide the correct CORS settings on your backend API; CORS does take into account port numbers. See this post for reference: CORS error on same domain?
I'm creating a Progressive web app and need to make requests to an API which is HTTP and doesn't have HTTPS. Can't change the app to HTTP as PWA's require HTTPS, can't change request link to https.
Getting this error:
Mixed Content: The page at 'https://current-site.herokuapp.com/' was
loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://the-api.com/api/customer?$filter=contains(CustomerName,%20%27test%27)&$select=CustomerName,CustomerId&$top=10'.
This request has been blocked; the content must be served over HTTPS.
Hoping there's a way around this. Currently using nodejs and express to serve. Requests are being made from frontend vuejs with axios.
Thanks for helping.
Shy of using an insecure or old browser, or telling your users to use some command line flags before surfing the web, there is not a direct method for this. This is by design and would be a major security flaw if apps could do this directly.
However, if you're determined to use the insecure API, you can write an HTTPS proxy API on your server, that turns around and does the request to the real API over HTTP.
So you can't make a request to another domain under the same origin policy. But does that apply to code you running inside the Chrome JS console with the page of that domain opened? And does that apply to a backend server app making a request to the other domain?
Question1: Chrome
When you run code inside Chrome JS console, you are running code in the context of a given page and you inherit the same security sandbox that the page has. All web pages are subject to CORS restrictions (cross origin resource sharing).
As a side note, cross origin request are allowed if the API you are calling explicitely allows them (which is implemented server side by setting some HTTP headers), or if you use another legacy cross origin technique (hacks) like JSONP.
Question 2: Server side
CORS is a browser thing, to protect web users against malicious JS acting on their behalf (for example, to reconfigure their home router), there is no such thing server side.
I am trying to access a rest service on the guest system (windows) from the host machine (osx) in Parallels 9.
I have CORS set to allow everybody to use the service. Server and the client on different port
When the javascript is accessing the service i am still getting the error message that because of CORS, it is not allowed.
Failed to load resource: Origin http://127.0.0.1:9000 is not allowed
by Access-Control-Allow-Origin.
It is working when the javascript and the server are on the same machine.
So I assume there is an issue with the virtual machine's network. Any idea why CORS not working over the virtual machine?
thank you
We have a set of api that we're calling from the same machine, the address is mycompany.com:8080 for the server and mycompany.com for the ajax.html file.
How can we avoid the cross domain policy?
Anyway to do this with some proxy configuration?
please, no JSONP!
Thanks!
Two or more documents can be considered in same domain origin, if they have on
- Same Host
- Same Port
- Same Protocol.
In your case port is different so you can not put ajax query directly. Instead you need to specify following header in response.
Access-Control-Allow-Origin: mycompany.com
For more info, check this
You ask if this can be done with a proxy configuration, and of course that's one simple solution, just have the main server proxy requests to the AJAX server. It's usually simple to set up. But the Same Origin Policy means that you won't be able to do this with a pure client-side solution.