The browsers stuck on the CORS Policy wich rejects requests across different domains, to prevent xss.
In some cases you want to allow such requests. For instance in a trusted SOA enviroment, where you have to request accross different domains or subdomains.
If you are using apache as your webserver, you can modify your headers and allow your browser to request via script from a other domain.
Here is how it works.
Add a .htaccess for your directory where you want to request to:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # with AJAX withCredentials=false (cookies NOT sent) | |
| Header always set Access-Control-Allow-Origin "*" | |
| Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE" | |
| Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type" | |
| RewriteEngine On | |
| RewriteCond %{REQUEST_METHOD} OPTIONS | |
| RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]] |
Enable headers in apache with:
a2enmod headers
You can restrict the request methods by removing it from the list with allowed verbs to stricten security.
Keine Kommentare:
Kommentar veröffentlichen