I am getting the following error:
XMLHttpRequest cannot load
https://code.getmdl.io/1.3.0/material.indigo-pink.min.css. No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'https://nhalistonfirebase.firebaseapp.com' is
therefore not allowed access.
Here's my firebase.json file:
{
"hosting": {
"public": "public",
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
],
// Add the "headers" section within "hosting".
"headers": [
{
"source": "**/*.#(eot|otf|ttf|ttc|woff|font.css)",
"headers": [
{
"key": "Access-Control-Allow-Origin",
"value": "*"
}
]
},
{
"source": "**/*.#(jpg|jpeg|gif|png)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=7200"
}
]
}
]
}
}
How should this be corrected?
code.getmdl.io doesn’t send the Access-Control-Allow-Origin response header that’s necessary to make browsers allow your frontend JavaScript code to access the response.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS has more details.
The firebase.json file shown in the question is for the https://nhalistonfirebase.firebaseapp.com site I guess? If so, it doesn’t matter what CORS config you do there—what instead matters is what CORS config is set on the site your code is sending the request to.
And the code.getmdl.io site apparently has no CORS config to allow cross-origin requests.
But you can get around this by using a CORS proxy. You can instead use this request URL:
https://cors-anywhere.herokuapp.com/https://code.getmdl.io/1.3.0/material.indigo-pink.min.css
That sends the request through https://cors-anywhere.herokuapp.com, which forwards the request to https://code.getmdl.io/1.3.0/material.indigo-pink.min.css and then receives the response. The https://cors-anywhere.herokuapp.com backend adds the Access-Control-Allow-Origin header to the response and passes that back to your requesting frontend code.
The browser will then allow your frontend code to access the response, because that response with the Access-Control-Allow-Origin response header is what the browser sees.
You can also easily set up your own CORS proxy using https://github.com/Rob--W/cors-anywhere/
Related
I have built a google workspace addon for calendar conference solution using app script and oauth2 library.
My oauth client code is:
return (
OAuth2.createService("OAuthApp")
// Set the endpoint URLs.
.setAuthorizationBaseUrl(`${FRONTEND_DOMAIN}/auth/login`) // frontend api
.setTokenUrl(`${BACKEND_DOMAIN}/v1.0/oauth/exchange-code-for-token`) // backend api
// Set the client ID and secret.
.setClientId(CLIENT_ID)
.setClientSecret(CLIENT_SECRET)
// Set the name of the callback function that should be invoked to
// complete the OAuth flow.
.setCallbackFunction("authCallback")
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getUserProperties())
.setCache(CacheService.getUserCache())
.setLock(LockService.getUserLock())
);
Where for setAuthorizationBaseUrl i have provided out frontend page to open login page for user to authenticate. When user authenticates successfully, backend redirects to the addon on https://script.google.com/macros/d/{SCRIPT_ID}/usercallback with auth code in params and status code 302.
However when i redirect the frontend to addon from backend i get this error in console:
Access to XMLHttpRequest at 'https://script.google.com/macros/d/{SCRIPT_ID}/usercallback?code=4611729c041e9d0f93506bcfa772707d' (redirected from 'https://{BACKEND_ENDPOINT}/oauth/verify-otp') from origin 'https://{FRONTEND_ENDPOINT}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
My add on manifest is:
{
"oauthScopes": [
"https://www.googleapis.com/auth/calendar.addons.execute",
"https://www.googleapis.com/auth/calendar.events.readonly",
"https://www.googleapis.com/auth/calendar.addons.current.event.read",
"https://www.googleapis.com/auth/calendar.addons.current.event.write",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/script.scriptapp"
],
"addOns": {
"common": {
"homepageTrigger": {
"enabled": false
},
"logoUrl": "https://lh3.googleusercontent.com/-WuPhRsFGKUc/XCng7m_FIxI/AAAAAAAAAGg/ASH4GCGDMs0d55OZQGCSIQHXjRAKnkeTQCLcBGAs/s400/jitsi-logo-96x96.png",
"name": "Conference App"
},
"calendar": {
"conferenceSolution": [
{
"id": 1,
"name": "Private Meeting",
"logoUrl": "https://lh3.googleusercontent.com/-WuPhRsFGKUc/XCng7m_FIxI/AAAAAAAAAGg/ASH4GCGDMs0d55OZQGCSIQHXjRAKnkeTQCLcBGAs/s400/jitsi-logo-96x96.png",
"onCreateFunction": "createPrivateMeeting"
}
],
"currentEventAccess": "READ_WRITE"
}
},
"timeZone": "America/New_York",
"runtimeVersion": "V8",
"dependencies": {
"enabledAdvancedServices": [
{
"userSymbol": "Calendar",
"serviceId": "calendar",
"version": "v3"
}
],
"libraries": [
{
"userSymbol": "OAuth2",
"version": "43",
"libraryId": "1B7FSrk5Zi6L1rSxxTDgDEUsPzlukDsi4KGuTMorsTQHhGBzBkMun4iDF"
}
]
},
"webapp": {
"access": "ANYONE",
"executeAs": "USER_ACCESSING"
},
"exceptionLogging": "STACKDRIVER"
}
From the network it seems the browser makes a preflight request when redirected from the backend to the google script and fails with cors error.
I tried to change the Content-Type in headers to text/plain;charset=utf-8 to avoid the preflight request but the cors issue still persists.
I am expecting the popup to get redirect to addon and exchange the auth code for auth token.
The mistake i was making was redirecting the popup to appscript from backend. Instead of returning the redirect uri with auth code concatenated in response from the backend to the popup/frontend and frontend redirects which fixes the cors mismatch error.
I am running into a error "ETagMissing: No access to ETag property on response. Check CORS configuration to expose ETag header." when running a multipart upload to AWS. I searched the whole net and cant find a way to add this Etag to my bucket CORS policy. I don't know the properties of it and theres no documnetation.
My current CORS policy:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT",
"POST",
"DELETE",
"HEAD"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}
]
Simply add ETag in the ExposeHeaders array on your CORS configuration.
Click on your bucket
Click on Authorization tab, move down to CORS
Your CORS config should looks like :
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT",
"POST"
],
"AllowedOrigins": [
"your_origin_url"
],
"ExposeHeaders": [
"ETag" // The line to add
]
}
Check CORS configuration to expose ETag header.
The error message is telling you exactly what to do. Your CORS policy needs to add ETag in the ExposeHeaders array.
You currently have an empty ExposeHeaders array so all headers are being blocked by CORS.
I’m setting up Couchbase Lite on android with Sync Gateway 2.1 and Couchbase Server 6.0.
I've implemented authentication with Google Sign-in by using the OpenID Connect Implicit flow and I'm able to get the session cookie for authentication.
Now I need authorization to use the "requireUser()" function in the SGW config file's javascript, but I can't get SGW to create the User for me.
From what I read in the docs, setting "register":true in the config file should make SGW automatically create the user when it doesn't exist, but I keep getting an Unauthorized response when sending a request to /_session with as body { "name": "new_user_name" }.
What am I missing to be able to create the user with SGW automatically? I have setup Implicit Flow auth to avoid having to manage my own web app for authorization, so I would like to avoid having to use the Admin rest API for user creation.
Here's my SGW config file:
{
"log": ["*"],
"adminInterface": ":4985",
"databases": {
"lucidity": {
"server": "http://xxx.xxx.xxx.xxx:8091",
"bucket": "bucketname",
"username": "syncgateway",
"password": "***********",
"num_index_replicas": 0,
"enable_shared_bucket_access": true,
"import_docs": "continuous",
"oidc": {
"providers": {
"GoogleAuthFlow": {
"issuer":"https://accounts.google.com",
"client_id":"xxxxxxxxxxxxx.apps.googleusercontent.com ",
"validation_key":" xxxxxxxxxxxx",
"callback_url": "http://xxx.xxx.xxx.xxx:4984/bucketname/_oidc_callback",
"register":true
}
}
},
"users": { "GUEST": { "disabled": false, "admin_channels": ["*"] } },
"sync": `function (doc, oldDoc) {
}`
}
}
EDIT:
Here's the log for my request:
POST http://xx.xx.xx.xx:4984/bucketname/_session
Content-Type: application/json
Content-Length: 2
Authorization: [MY_ID_TOKEN_HERE]
Body: { }
And the response is
{
"authentication_handlers" : [ "default", "cookie" ],
"ok" : true,
"userCtx" : {
"channels" : {
"!" : 1,
"*" : 1
},
"name" : null
}
}
with the following Set-Cookie header:
Set-Cookie: SyncGatewaySession=xxxx; Path=/bucketname; Expires=Fri, 18 Jan 2019 08:50:36 GMT
I have created an Actionable Message and registered a provider in Office365, which is approved for my organization. I'm sending the message via Microsoft Flow.
The message contains HttpPost actions in which I want to receive the response with am HTTP triggered Flow.
This is the JSON of the actionable message (I've removed the FLOW urls, and #'s are escaped.):
{
"##type": "MessageCard",
"##context": "http://schema.org/extensions",
"originator": "<my_provider_id>",
"summary": "Klanttevredenheidsonderzoek ",
"title": "Bent u tevreden over de afhandeling van **melding 92138749247**",
"text": "Graag horen we of u tevreden bent over deze melding",
"themeColor": "E81123",
"sections": [
{
"potentialAction": [
{
"##type": "HttpPOST",
"name": "Slecht!",
"headers": [{ "Content-Type": "application/json" }],
"target": "<flowurl>?<>flowurlparameters",
"body": "Slecht!"
},
{
"##type": "HttpPOST",
"name": "Goed!",
"headers": [{ "Content-Type": "application/json" }],
"target": "<flowurl>?<>flowurlparameters",
"body": "Goed"
}
]
},
{
"startGroup": true,
"title": "**Disclaimer**",
"text": ". 2018"
}
]
}
I have two problems:
If I mail my own O365 account, I get the mail with the message
showing correctly. However, the post buttons do not work correctly,
and the link I see when I hover over the buttons is missing the URL
parameters (which might be the cause it's not working). What could I
be doing wrong, or is it still too early for this to work? How can I
debug this?
In the new SPFx O365Connectors webpart the HTTPPost actions are missing completely. The rest of the message is shown correctly. Are HTTPPost actions not supported yet? Or will they not be supported at all? Or is something wrong with what I'm doing..?
Microsoft has now added support for the scenario of catching HTTP Post operations from within an actionable email by Microsoft Flow. The key is to explicitly set the authorization header to an empty string.
Below snippet uses the adaptive card schema v1.0 at http://adaptivecards.io/schemas/adaptive-card.json
"actions": [
{
"type": "Action.Http",
"title": "Light",
"method": "POST",
"headers": [
{
"name": "Authorization",
"value": ""
}
],
"url": "<a http triggered Flow URL>",
"body": "{'currentRoom':'room1','currentState':'roomState1','action':null,'exit':null,'object':null,'objectAction':null,'userEmail':'someuser#somedomain.com'}"
}
]
I received the following response from a Microsoft employee regarding this issue:
The reason it fails is because the logic app doesn’t allow sending
Authorization header and it responds back 401 Unauthorized. We send
Authorization header to identify that the request is from Office 365.
The logic app works fine without Authorization header.
I will discuss this with the team and see if we can resolve this kind
of scenario, and will update you on the status.
So for now it seems this scenario is not supported.
I have my API in loopback 3.x. First I created an empty project and right after that I ran npm install loopback-connector-rest --save and lb datasource in the console to have a link to an external API called Userlike. It this URL https://www.userlike.com/api/external/message/chat_meta/.
Then I created a model with no parameters called Messages.
I had no problems executing as I used node . and there was no error, and in localhost:3000 I could visualize my API.
But I had a problem when I clicked GET in the page a 401 error because to access the API in Userlike I needed to send my token so I could get the data, so I modified the datasources.json file and I had this:
{
"userlikeRESTdatasource": {
"name": "userlikeRESTdatasource",
"baseURL": "https://www.userlike.com/api/external/message/chat_meta/",
"crud": false,
"connector": "rest",
"operations": [
{
"functions": {
"getMessages": []
},
"template": {
"method": "GET",
"url": "https://www.userlike.com/api/external/message/chat_meta/",
"headers": {
"accepts": "application/json",
"content-type": "application/json",
"authorization": "8c149a3d-4acf-362e-880c-30ec2f5ecaf"
},
"responsePath": "$.results.*"
}
}
]
}
}
The authorization field I put in the header didn't work as I still received
{
"error": {
"statusCode": 401,
"name": "Error",
"message": "Authorization Required",
"stack": "Error: Authorization Required\n
}
}
My idea was to do something like:
headers.append('Authorization', '8c149a3d-4acf-362e-880c-30ec2f5ecaf7');
headers.append('Access-Control-Allow-Origin', '*');
headers.append('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
headers.append('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Authorization, Accept');
But with loopback. So I could receive the data from the Userlike API and next I could modify or just use the data I wanted.
But I still can't figure out how can I modify my datasources.json or if I need to create something in another file to make it possible to send the token as the authorization to that URL I'm using.
Pass access token with HTTP header by using this
headers.append('X-Access-Token', '8c149a3d-4acf-362e-880c-30ec2f5ecaf7');
or also pass this token as a parameter.
?access_token=8c149a3d-4acf-362e-880c-30ec2f5ecaf7
This will help.