Your browser is complaining about a missing header: Access-Control-Allow-Origin Because this header is missing your browser does not know that the desired access is legit. Have a look at http://enable-cors.org and choose the configuration appropriate for your server. You need to configure the server where the fonts are stored !
In my case I had to enable CORS-related feature on the server side: Access-Control-Expose-Headers: Content-Disposition This allows javascript on the browser side to read this header. In case of node.js + express + cors on the server side it may looks like this: app.use(cors({ origin: ‘http://localhost:8080’, credentials: true, exposedHeaders: [‘Content-Disposition’] })) So I can see … Read more
I’ve finally figured out an answer to this. There is at least one other situation where an Origin header may be “null”. When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to “null”. I suppose this is considered … Read more
The important thing to note here is that if the user is signed in to a site http://example.com/ and the request http://example.com/delete?id=1 deletes a post by the user, then the following code will delete the user’s post: <script src=”http://example.com/delete?id=1″ /> This is called a CSRF/XSRF attack (cross-site request forgery). This is why most server-side web … Read more
To be more specific, it is easy to make the mistake of thinking that if evil.example cannot make a request to good.example due to CORS then CSRF is prevented. There are two problems being overlooked, however: CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.example make … Read more
Short answer: Ensure the request URL in your code isn’t missing a trailing slash. A missing-trailing-slash problem is the most-common cause of the error cited in the question. But that’s not the only cause — just the most common. Read on for more details. When you see this error, it means your code is triggering … Read more
The default behavior of web browsers that initiate requests from a page via JavaScript (AKA AJAX) is that they follow the same-origin policy. This means that requests can only be made via AJAX to the same domain (or sub domain). Requests to an entirely different domain will fail. This restriction exists because requests made at … Read more
I was wondering the same thing, so after a bit of research I found that the easiest way was simply to use a JAX-RS ContainerResponseFilter to add the relevant CORS headers. This way you don’t need to replace the whole web services stack with CXF (Wildfly uses CXF is some form, but it doesn’t look … Read more
Preflight can only be applied to the request, not to the entire domain. I brought the same question up on the mailing list, and there were security concerns. Here’s the entire thread: http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0228.html There are a few things to consider if you’d like to limit the number of preflight requests. First note that WebKit-based browsers … Read more
The simple answer is to set the Access-Control-Allow-Origin header to localhost or *. Here’s how I usually do it: Create a simple middleware called Cors: php artisan make:middleware Cors Add the following code to app/Http/Middleware/Cors.php: public function handle($request, Closure $next) { return $next($request) ->header(‘Access-Control-Allow-Origin’, ‘*’) ->header(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS’); } You can replace … Read more