Access-Control-Allow-Origin: * not working?

user1170717 picture user1170717 · Feb 27, 2012 · Viewed 16.1k times · Source

Classic "Origin ... is not allowed by Access-Control-Allow-Origin" problem. Two machines serve contents for the same website. When machine A does a $('#main').load('link_to_resource_on_B') via jquery, machine B serves up the content with mod_python, adding Access-Control-Allow-Origin: * header. But for some reason, this still does not work. I tested this on Chrome, Safari, and Internet Explorer. And I tested via command line to check the response header, it seems Access-Control-Allow-Origin: * is successfully in the header from B. See below. What could i be missing?

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /tests/python/test/env HTTP/1.1
host: 10.0.1.10 

HTTP/1.1 200 OK
Date: Mon, 27 Feb 2012 02:05:33 GMT
Server: Apache/2.2.20 (Ubuntu)
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html

Answer

proactive-e picture proactive-e · Dec 10, 2012

Enabling Access-Control-Allow-Origin header in the response is not sufficient. Server side implementation should provide proper handling for pre-flight OPTIONS request. Particularly, following HTTP headers must be set in the OPTIONS response:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST

Other HTTP headers such as Access-Control-Allow-Headers might be also needed in OPTIONS response in case non standard HTTP headers are used in your environment.

Have in mind that Access-Control-Allow-Origin: * HTTP header must be also set in the following GET & POST responses.