I'm developing an app using an API in Eve and AngularJS.
To avoid CORS issue, I made a simple NodeJS server to serve my static files.
However, even after allowing All domains on my Python Eve API by writing 'X_DOMAINS': '*' (I tested with Curl and it worked) I'm getting issues in my browser when I want to call the API using $http.
This is the error I get in chrome:
XMLHttpRequest cannot load http://localhost:5000/regions. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.
I even wrote this in my Node app, even though I figured it would be useless:
app.all('/*', function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Headers", "X-Requested-With, Content-Type");
res.header("Access-Control-Allow-Methods", "GET, POST","PUT");
next();
});
Nothing has worked so far, thanks in advance for the help!
Ran into some similar issues with javascript. I could get it running with some tweaks on eve, but in the end it was not enough. The BadRequest responses are sent by the flask engine, not eve, disabling any javascript attempt at handling errors. It appears there is a nice flask extension CORS that covers it well:
from flask.ext.cors import CORS
....
CORS(app)
That was all that I needed in the end.
Add this in your response headers:
res.header("Access-Control-Allow-Origin", "http://localhost:8080");
Remove the following:
http://localhost:8080
Or what you can try is to get the request origin and add it to the response. Something like this:
var hostName = req.get('host');
res.header("Access-Control-Allow-Origin", hostName);
On some cases it might work, specially if it is a GET call. But if it is a POST, some browsers will block it.
Another option is to disable the web security on your browser, (though not the best thing to do.) You can read here for that.
Also go through the posts here , so that you can have a better idea of the problem.
In the following command:
res.header("Access-Control-Allow-Headers", "X-Requested-With, Content-Type");
you set allowed headers, maybe you sent other headers e.g. "Authorization", in this case you must include these headers to above command
Related
I have two domains, one is for front-end(abc.aa.com) another is for back-end(xx.abc.aa.com).
I have to upload a picture from the front-end to back-end with ajax only if I set it.
Header set Access-Control-Allow-Origin "*" to .htaccess, it will succeed.
Otherwise a cross-domain error will happen, but I want to allow only the abc.aa.com to access this source; how can I achieve this?
I also tried this tutorial, but only origin="*" will work.
My env:
python 2.7
flask
webuploader
I installed a clone of the AppRTC GAE application, but I have a CORS problem with the response that comes from the TURN server.
I have installed my own TURN server on a VPS, but the problem with the CORS request continues and I have no idea how to fix it.
https://github.com/webrtc/apprtc
I have tried to modify the python request to add the necessary header, but with no luck.
Also I found this resource regarding CORS support
https://cloud.google.com/appengine/docs/go/config/appconfig
but still no luck.
The error I'm getting is
XMLHttpRequest cannot load https://computeengineondemand.appspot.com/turn?username=910605201&key=4080218913. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://hubert-rtc.appspot.com' is therefore not allowed access.
Any suggestions?
AppRtc has purposefully disabled CORS for fetching the turnServer address. They expect developers to have their own TurnServer.
https://github.com/webrtc/apprtc/issues/175
I'm trying to build a api site using Flask, and I am using Flask-jwt to provide token authorization.
The authorizaiton works fine if I do CORS in Apache ( using mod_headers to add Allow-Access headers, like this
Header set Access-Control-Allow-Origin "*"
However, I want to have more detailed access control instead of just using wildcard. and I looked at flask-cors, which is a nice wrapper to check origin and send the header.
And now my route looks like this (and no header manipulation in apache settings)
#app.route('/protected/place')
#cross_origin(headers=['Content-Type']) # Send Access-Control-Allow-Headers
#jwt_required()
def my_view_func():
do something
But now I will not get the Access-Control headers response from the server if I make the http request from javascript. (However, if I manually post, like doing curl, i can still see the cross origin plugin working and the Access control headers)
When I remove the #jwt_required wrapper, the cross_origin wrapper functions fine and it will give me response.
when the jwt_required wrapper is applied, no response can be seen from the server.
I'm debugging my client page with chrome. BTW
I tried to change the order of the wrappers, but it doesn't help.
Is it possible that, if the authentication fails, the cross_origin wrapper will not send the Access Control headers?
the source code of the two wrappers :
flask-jwt:
https://github.com/mattupstate/flask-jwt/blob/master/flask_jwt/init.py
flask-cors:
https://github.com/wcdolphin/flask-cors/blob/master/flask_cors.py
After struggling for many hours, I finally found the problem. Hope it helps others who encouter the same problem.
Just need to include Authorization in "headers" argument (which sets the Access-Control-Allow-Headers field) when authentication is needed.
Like this
#app.route('/protected/place')
#cross_origin(headers=['Content-Type','Authorization']) # Send Access-Control-Allow-Headers
#jwt_required()
def my_view_func():
do something
I'm trying to use urlfetch to make a request to my application (the same application which is sending the request) however, it doesn't work.
My code is as follows;
uploadurl = 'http://myapp.appspot.com/posturl'
result = urlfetch.fetch(
url=uploadurl,
payload=data,
method=urlfetch.POST,
headers={'Content-Type': 'application/x-www-form-urlencoded'})
There is no error at all when I call this, and everything seems to work correctly, however the request never arrives. For debugging purposes, I changed the uploadurl to a different application which I own and it worked fine. Any ideas why I can't send requests using urlfetch to the same application?
The full (real) url that I would call is made by
session = str(os.urandom(16).encode('hex'))
uploadurl = blobstore.create_upload_url('/process?session=' + session)
So I can't understand how that could be incorrect as the url is made for me.
Thanks.
I don't know how you're verifying that the request "never arrives". The blobstore URLs are not handled by your application's actual code, but by the App Engine runtime itself, so if you're looking in the logs you won't see that request there.
I think it is not possible, to prevent endless loop. From the urlfetch api documentation page:
To prevent an app from causing an endless recursion of requests, a
request handler is not allowed to fetch its own URL. It is still
possible to cause an endless recursion with other means, so exercise
caution if your app can be made to fetch requests for URLs supplied by
the user.
I'm building a Python application that needs to communicate with an OAuth service provider. The SP requires me to specify a callback URL. Specifying localhost obviously won't work. I'm unable to set up a public facing server. Any ideas besides paying for server/hosting? Is this even possible?
Two things:
The OAuth Service Provider in question is violating the OAuth spec if it's giving you an error if you don't specify a callback URL. callback_url is spec'd to be an OPTIONAL parameter.
But, pedantry aside, you probably want to get a callback when the user's done just so you know you can redeem the Request Token for an Access Token. Yahoo's FireEagle developer docs have lots of great information on how to do this.
Even in the second case, the callback URL doesn't actually have to be visible from the Internet at all. The OAuth Service Provider will redirect the browser that the user uses to provide his username/password to the callback URL.
The two common ways to do this are:
Create a dumb web service from within your application that listens on some port (say, http://localhost:1234/) for the completion callback, or
Register a protocol handler (you'll have to check with the documentation for your OS specifically on how to do such a thing, but it enables things like <a href="skype:555-1212"> to work).
(An example of the flow that I believe you're describing lives here.)
In case you are using *nix style system, create a alias like 127.0.0.1 mywebsite.dev in /etc/hosts (you need have the line which is similar to above mentioned in the file, Use http://website.dev/callbackurl/for/app in call back URL and during local testing.
This was with the Facebook OAuth - I actually was able to specify 'http://127.0.0.1:8080' as the Site URL and the callback URL. It took several minutes for the changes to the Facebook app to propagate, but then it worked.
This may help you:
http://www.marcworrell.com/article-2990-en.html
It's php so should be pretty straightforward to set up on your dev server.
I've tried this one once:
http://term.ie/oauth/example/
It's pretty simple. You have a link to download the code at the bottom.
localtunnel [port] and voila
http://blogrium.wordpress.com/2010/05/11/making-a-local-web-server-public-with-localtunnel/
http://github.com/progrium/localtunnel
You could create 2 applications? 1 for deployment and the other for testing.
Alternatively, you can also include an oauth_callback parameter when you requesting for a request token. Some providers will redirect to the url specified by oauth_callback (eg. Twitter, Google) but some will ignore this callback url and redirect to the one specified during configuration (eg. Yahoo)
So how I solved this issue (using BitBucket's OAuth interface) was by specifying the callback URL to localhost (or whatever the hell you want really), and then following the authorisation URL with curl, but with the twist of only returning the HTTP header. Example:
curl --user BitbucketUsername:BitbucketPassword -sL -w "%{http_code} %{url_effective}\\n" "AUTH_URL" -o /dev/null
Inserting for your credentials and the authorisation url (remember to escape the exclamation mark!).
What you should get is something like this:
200 http://localhost?dump&oauth_verifier=OATH_VERIFIER&oauth_token=OATH_TOKEN
And you can scrape the oath_verifier from this.
Doing the same in python:
import pycurl
devnull = open('/dev/null', 'w')
c = pycurl.Curl()
c.setopt(pycurl.WRITEFUNCTION, devnull.write)
c.setopt(c.USERPWD, "BBUSERNAME:BBPASSWORD")
c.setopt(pycurl.URL, authorize_url)
c.setopt(pycurl.FOLLOWLOCATION, 1)
c.perform()
print c.getinfo(pycurl.HTTP_CODE), c.getinfo(pycurl.EFFECTIVE_URL)
I hope this is useful for someone!