CORS is part of the original web security model, but is not secure and should not be used for server security.
CORS = Cross origin resource sharing ... Cross-Origin Resource Sharing (CORS)
| | |
Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a...
It is easily spoofed with readily available browser add-ons, such as the HeaderHacker Chrome extension, which is quite useful for certain testing purposes.
All browsers and responding HTTP servers use CORS, but these days developers use CORS mostly to ensure they are getting to the right place.
HTTP servers by default are set to not allow resource sharing across domains. A domain change can happen if you are just using a different port for a resource.
So, even from the same IBM i, if you display a page from a cgi program from one port, then use a web service to get data via ajax on another, you'll get a CORS denial.
To avoid this, I always set CORS to allow cross origin requests, on all my HTTP server setups.
Also, you may still get an error depending on where you are requesting from. I also always set my servers to allow the content type directive.
If you are running APACHE 2.4,(V7r2 +) in the <Location/> section of your HTTP server configuration file after "Require all granted" add the following lines (you'll need to restart the server)..
Header Set Access-Control-Allow-Origin *
Header Set Access-Control-Allow-Headers "Content-Type"
If you are running prior APACHE releases (V7r1 -) in the <Location/> section of your HTTP server after "allow from all" add the following lines (you'll need to restart the server)..
Header Always Set Access-Control-Allow-Origin *Header Always Set Access-Control-Allow-Headers "Content-Type"
Even if you are using CGI, or PHP, or NODE for serving the response, you would need to add the corresponding CORS directives.
On Wednesday, December 5, 2018, 3:53:12 PM GMT-3, Booth Martin <booth@xxxxxxxxxxxx> wrote:
I believe the following is an accurate report:
* The i is remote, reached by VPN. Lets call
"i.server.com:10000/web/services/Oceans" TheURL. This is a web
service providing a short list of 5 oceans from QMYLIB/OCEANSP.
* There is also an HTTP server set up on the TheURL's domain with a
a nicely formatted layout and attempts to retrieve the Oceans data
from TheURL. It fails with the CORS failure.
installed there, pointing at TheURL. It fails with the CORS failure.
If I point my regular browser at TheURL i immediately get the 5 oceans
failure. In other words, any regular web browser inside the VPN can
Thats just ridiculous; therefore, I am misunderstanding something.
On 12/5/2018 12:15 PM, Justin Taylor wrote:
Is you JS trying to call a different server?