I have been using POSTMAN for sometime now for sending HTTP requests like GET, POST, PUT for RESTful Webservices. Recently came across a situation, when sending a request to my REST API through browser, I got a message that
No Access Control Allow Origin Header is present on the Requested resource.
The solution was ofcourse to add such an header to the API.
However strangely, When I sent the the same request through POSTMAN I was able to get back the response.
So I want to know how is sending a request through POSTMAN different from sending a request through browser.
I went through this question: CORS with POSTMAN, but it really doesn't provide an answer in detail.
From Cross-Origin XMLHttpRequest in Chrome Develop Extensions documentation:
Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.
Basically browser extensions have more privileges than web content. In the case of Chrome extensions, there is an option to enable cross-origin access.
Related
Hello I am developing a web app, with a microservices architecture.
I am using golang (Fiber) on the backend and Next.js on the frontend.
When I send a request from restaurant.quiqr.co/signin to api.quiqr.co/auth/signin, I am sending a cookie along side the response from api.quiqr.co containing the jwt token.
Everything works fine on Postman, i can see the cookie being stored and sent with any follow up request.
But when it comes to web browsers, my cookie is not being stored. What could be the issue?
I am using kubernetes with Ingress nginx, but as i mentioned before everything works on Postman.
I tried to modify the cookie domain to .quiqr.co or restaurant.quiqr.co, but this did not work, I even tried all of the SameSite attributes, but nothing worked.
The only solution that worked is when I put all of them under the same domain. For example: quiqr.co/api/auth/signin and quiqr.co/restaurant/signin, the returned cookie will have a .quiqr.co domain and everything would work fine.
I also realized that when I do so, the browser wont send a Preflight request, but if i separate them again to subdomains the browser would send a Preflight request and the returned cookie wont be stored.
So what could be the issue here? Thank you.
Both requests- Preflight and xhr
xhr request content
No cookies in my devtools
I sniffed the network traffic coming out of an app that displays real time data. I am trying to get access to the api to display the same real time data on a website that I am working on currently. I was able to view the get request and the response using fiddler and I then sent a get request directly using the url. However, my get request was blocked by CORs policy. I'm a beginner and would like to know how to access the API.
If the server that's hosting the API doesn't supply COR headers that explicitly allow this, you're not going to be able to make these requests via your browser. I'd recommend making the requests on your server instead of in the browser, because that's not bound by CORs settings.
That's my question, what are the differences between those requests ?
I am having an issue with get request I am trying to perform, I am getting the error
XMLHttpRequest cannot load http://urbanetradio.com/wp-json/posts. The 'Access-Control-Allow-Origin' header has a value 'http://localhost:8100' that is not equal to the supplied origin. Origin 'http://run.plnkr.co' is therefore not allowed access.
that get request is toward my-site-url/wp-json/postswhich is a WordPress account. And this is the method I am using
so, someone says, use jsonp instead of get, but why?
Jsonp is what is used for web APIs that support cross origin resource sharing. The article below gives an example of how to make a request that supports cors. If the webapi is not configured to allow requests from your host you may not be able to make it work without changing the api though.
Web requests that support cors:
http://www.html5rocks.com/en/tutorials/cors/
Setting up a web api that uses cors:
http://mobile.codeguru.com/csharp/.net/net_asp/using-cross-origin-resource-sharing-cors-in-asp.net-web-api.html
Is it possible to use HTTP.get on the client side to retrieve some json data and store it as a string?
I need to get the JSON from this site https://blockchain.info/address/15cNko3ZtmYCba8GoaYsZ6GWFy1VCLgFji?format=json and store it as a string for later parsing.
The above site address for the wallet was chosen at random.
You can perform HTTP.get on the client. As per the documentation it's available Anywhere (Client and Server)
However, the example you've provided isn't on the same domain as your app, and hasn't provided Access-Control-Allow-Origin headers to permit cross-domain requests. So requests from the client will fail.
From Wikipedia:
The same origin policy prevents a document or script loaded from one
origin from getting or setting properties of a document from another
origin. This policy dates all the way back to Netscape Navigator 2.0.
Try typing $.ajax("https://blockchain.info/address/15cNko3ZtmYCba8GoaYsZ6GWFy1VCLgFji?format=json"); in your browser console in your application development tab.
You're likely to receive this error as response :
XMLHttpRequest cannot load https://blockchain.info/address/15cNko3ZtmYCba8GoaYsZ6GWFy1VCLgFji?format=json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
This is a CORS related issue which is a whole topic on itself so I suggest you google this and understand its implications.
Next, if you can control CORS settings on the domain where you're trying to fetch json from, then you need to allow cross origin requests from your web application domain, this is possible when using an amazon S3 bucket, another web application you designed, etc...
If you can't, then I'm afraid you'll have to use a Meteor.method client side to reach your Meteor server where you'll fetch the json with HTTP.get then send it back to the Meteor client.
I have a question where my client is on http://web-dev.test.com and my MVC Services are on http://webdev01.test.com . So i am trying to use ajax GET and POST json requests from my client to mvc services but it is giving me cross domain error. Can anyone explain me what the problem is? and how I could resolve this?
Thankyou
From the documentation:
Due to browser security restrictions, most "Ajax" requests are subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol.
Script and JSONP requests are not subject to the same origin policy restrictions.
Making it a JSONP request, if possible, should not cause you those issues. Otherwise I'm afraid you are not going to be able to successfully complete your request.
You have two options using JSONP or CORS
For CORS you set http headers for your service so that you client will have access to it, eg
Access-Control-Allow-Origin: http://web-dev.test.com