Crossdomain ajax request - what could be the problem?

M

Mikhail Osher2014-03-26 09:57:05

Yii

Mikhail Osher, 2014-03-26 09:57:05

What we are dealing with:
- Angular on the frontend (to be more precise, Restangular, but it uses Angular.$http)
- Yii on the backend (actually, this is not so important) I am
trying to send a request to manager.rfx.dev api.rfx.dev . (local domains)
I spice up Angular with the following headers:

RestangularProvider.setDefaultHeaders({
    'Content-Type': 'application/json',
    'X-Requested-With': 'XMLHttpRequest'
});
RestangularProvider.setDefaultHttpFields({
    'withCredentials': true
});

On the backend I send the following headers:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
header('Access-Control-Request-Headers: Accept, X-Requested-With');
header('Access-Control-Allow-Credentials: true');

I get:

OPTIONS api.rfx.dev/contexts 403 (Forbidden) angular.min.js:73
OPTIONS api.rfx.dev/contexts No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin ' manager.rfx.dev ' is therefore not allowed access. angular.min.js:73
XMLHttpRequest cannot load api.rfx.dev/contexts. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin ' manager.rfx.dev ' is therefore not allowed access.

At the time of writing the question, I stupefied that OPTIONS is sent . Should it be added to Allow-Methods ? Or does it count as GET?
On the other hand, I'm sending the Access-Control-Allow-Origin header...
Actually, WHAT?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

E

egor_nullptr, 2014-03-26
@miraage

For cross-domain requests with withCredentials: true , the Access-Control-Allow-Origin header must be set to a specific value, the asterisk is invalid.
Instead header('Access-Control-Allow-Origin: *');try

header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);