SyntaxFix

[html] How do I use Access-Control-Allow-Origin? Does it just go in between the html head tags?

I've been reading about Access-Control-Allow-Origin because it seems effective at allowing cross domain requests since I have access to the external site. My question ism how do I use Access-Control-Allow-Origin to allow cross domain requests. I tried this (don't laugh) (by the way all I want is for a single number, 1 or 0 to be returned)

<html>
<head>
Access-Control-Allow-Origin: *
</head>
<body>
1
</body>
</html>

Am I close? Thanks for your help. If there is an easier way to do a simple cross-domain request let me know.

This question is related to html cross-domain same-origin-policy access-control cors

The answer is

That is an HTTP header. You would configure your webserver or webapp to send this header ideally. Perhaps in htaccess or PHP.

Alternatively you might be able to use

<head>...<meta http-equiv="Access-Control-Allow-Origin" content="*">...</head>

I do not know if that would work. Not all HTTP headers can be configured directly in the HTML.

This works as an alternative to many HTTP headers, but see @EricLaw's comment below. This particular header is different.

Caveat

This answer is strictly about how to set headers. I do not know anything about allowing cross domain requests.

About HTTP Headers

Every request and response has headers. The browser sends this to the webserver

GET /index.htm HTTP/1.1

Then the headers

Host: www.example.com
User-Agent: (Browser/OS name and version information)
.. Additional headers indicating supported compression types and content types and other info

Then the server sends a response

Content-type: text/html
Content-length: (number of bytes in file (optional))
Date: (server clock)
Server: (Webserver name and version information)

Additional headers can be configured for example Cache-Control, it all depends on your language (PHP, CGI, Java, htaccess) and webserver (Apache, etc).

<?php header("Access-Control-Allow-Origin: http://example.com"); ?>

This command disables only first console warning info

console

Result: console result

If you use Java and spring MVC you just need to add the following annotation to your method returning your page :

@CrossOrigin(origins = "*")

"*" is to allow your page to be accessible from anywhere. See https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Access-Control-Allow-Origin for more details about that.

There are 3 ways to allow cross domain origin (excluding jsonp):

1) Set the header in the page directly using a templating language like PHP. Keep in mind there can be no HTML before your header or it will fail.

 <?php header("Access-Control-Allow-Origin: http://example.com"); ?>

2) Modify the server configuration file (apache.conf) and add this line. Note that "*" represents allow all. Some systems might also need the credential set. In general allow all access is a security risk and should be avoided:

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials true

3) To allow multiple domains on Apache web servers add the following to your config file

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(www\.)?(example.org|example.com)$" AccessControlAllowOrigin=$0$1
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true
</IfModule>

4) For development use only hack your browser and allow unlimited CORS using the Chrome Allow-Control-Allow-Origin extension

5) Disable CORS in Chrome: Quit Chrome completely. Open a terminal and execute the following. Just be cautious you are disabling web security:

open -a Google\ Chrome --args --disable-web-security --user-data-dir

Source: Stackoverflow.com

Examples related to html

Embed ruby within URL : Middleman Blog Please help me convert this script to a simple image slider Generating a list of pages (not posts) without the index file Why there is this "clear" class before footer? Is it possible to change the content HTML5 alert messages? Getting all files in directory with ajax DevTools failed to load SourceMap: Could not load content for chrome-extension How to set width of mat-table column in angular? How to open a link in new tab using angular? ERROR Error: Uncaught (in promise), Cannot match any routes. URL Segment

Examples related to cross-domain

How to enable CORS in ASP.net Core WebAPI How to create cross-domain request? What are the integrity and crossorigin attributes? jQuery ajax request being block because Cross-Origin How to switch to another domain and get-aduser POST request not allowed - 405 Not Allowed - nginx, even with headers included Firefox 'Cross-Origin Request Blocked' despite headers No 'Access-Control-Allow-Origin' header is present on the requested resource- AngularJS Ajax Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource AJAX in Chrome sending OPTIONS instead of GET/POST/PUT/DELETE?

Examples related to same-origin-policy

XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header Disable-web-security in Chrome 48+ How to enable CORS on Firefox? SecurityError: Blocked a frame with origin from accessing a cross-origin frame Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not? Disable firefox same origin policy Catch error if iframe src fails to load . Error :-"Refused to display 'http://www.google.co.in/' in a frame.." Cross Domain Form POSTing How do I use Access-Control-Allow-Origin? Does it just go in between the html head tags? Disabling same-origin policy in Safari

Examples related to access-control

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at How to create a user in Oracle 11g and grant permissions How do I use Access-Control-Allow-Origin? Does it just go in between the html head tags? jQuery.getJSON - Access-Control-Allow-Origin Issue Create new user in MySQL and give it full access to one database

Examples related to cors

Axios having CORS issue Cross-Origin Read Blocking (CORB) Jquery AJAX: No 'Access-Control-Allow-Origin' header is present on the requested resource How to allow CORS in react.js? Set cookies for cross origin requests XMLHttpRequest blocked by CORS Policy How to enable CORS in ASP.net Core WebAPI No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API How to overcome the CORS issue in ReactJS Trying to use fetch and pass in mode: no-cors

Tags

Activation Add-filter System.diagnostics Zend-controller Action-filter Xmp Demorgans-law Hoard Drb Uppercase Fastmm Git-checkout Data-formatters Quickcheck Dynamic-list Syndication Php4 Gnu-fileutils Indices Wcf-rest-contrib Librsvg Tinyurl Code-separation Movie Imagebrush Cxml Jboss-weld Column-types Vmt Kiln Codedom List-definition Turbo-basic Tortoisebzr Swiz Wml Fsockopen Quadtree Moss Cruisecontrol.net Jspinclude Table-locking Nyromodal Custom-draw Objective-c Call-control Roaming-profile Post-parameter Qsplitter Function-interposition Gd2 Msbuild-buildengine Directshow.net Winmail.dat Quest Tabpage Lnk2005 Waitone Svn-administraton Yoxos Gumstix Topography Browser-addons Xsp2 Denormalization Redis Windows-server-2000 Retained-in-memory Cabasicanimation Scoreninja Phppgadmin Netbeans Gac Register-allocation Autodesk Fitsharp Flash-cs5 Bitbucket Ios3.0 Setorientation Static-initializer Mapi Hittest Air2 Openframeworks Git-fetch Sql-server-ce-4 Data-linking Mosso Topic-maps Aol Application-onerror Cellspacing Distcc Sieve Command-line-tool Interrupt Facet Hyperjaxb Tree-left-right