Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cordova can not access to AJAX #73

Closed
salehmosleh opened this issue Feb 25, 2019 · 7 comments
Closed

Cordova can not access to AJAX #73

salehmosleh opened this issue Feb 25, 2019 · 7 comments

Comments

@salehmosleh
Copy link

i'm using Browser platform of Cordova, also i'm using cordova-plugin-whitelist and Content-Security-Policy tag into my html codes. but i get below error in console:

JQMIGRATE: Migrate is installed, version 3.0.0 
adding proxy for Device 
SEC7118: XMLHttpRequest for http://app.jpcomplex.com/appserver/?ios=1&username=&devid=1551073647241314 required Cross Origin Resource Sharing (CORS). 
index.html
SEC7120: Origin http://localhost:8000 not found in Access-Control-Allow-Origin header. 
index.html
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
index.html

here is my config.xml:

<?xml version='1.0' encoding='utf-8'?>
<widget id="io.cordova.hellocordova" version="1.0.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
    <name>HelloCordova</name>
    <description>
        A sample Apache Cordova application that responds to the deviceready event.
    </description>
    <author email="dev@cordova.apache.org" href="http://cordova.io">
        Apache Cordova Team
    </author>
    <content src="index.html" />
    <access origin="*" />
    <allow-navigation href="http://app.jpcomplex.com/*" />
    <allow-navigation href="*" />
    <allow-navigation href="http://*/*" />
    <allow-navigation href="https://*/*" />
    <allow-navigation href="data:*" />
    <allow-intent href="http://app.jpcomplex.com/*" />
    <allow-intent href="*" />
    <plugin name="cordova-plugin-x-toast" spec="^2.7.2" />
    <plugin name="cordova-plugin-dialogs" spec="^2.0.1" />
    <plugin name="cordova-plugin-nativestorage" spec="^2.3.2" />
    <plugin name="cordova-plugin-device" spec="^2.0.2" />
    <plugin name="cordova-plugin-whitelist" spec="^1.3.3" />
    <engine name="browser" spec="^5.0.4" />
    <engine name="android" spec="^7.1.4" />
    <engine name="ios" spec="^4.5.5" />
</widget>

and here is the meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

and here is my ajax request:

$.get("http://app.jpcomplex.com/appserver/",{ios:1,username:'test'},function(data){
	alert(data);
});

how can i fix it?
@janpio
Copy link
Member

janpio commented Feb 25, 2019

SEC7120: Origin http://localhost:8000 not found in Access-Control-Allow-Origin header.

Is localhost:8000 included in the Access-Control-Allow-Origin header?

@salehmosleh
Copy link
Author

@janpio , hi, how can i do it ?

@janpio
Copy link
Member

janpio commented Feb 25, 2019

How you can find out if it is? Look at the server code generating the response. If you don't control the server, the response is most probably no, but you can check using your browser's dev tools's network panel where you can look at the headers of the response.

@salehmosleh
Copy link
Author

salehmosleh commented Feb 25, 2019
edited
Loading

@janpio ,I can use below header method in my php codes and it works fine but it does not secure!
<?php header('Access-Control-Allow-Origin: *'); //for all ?>
my question is: Do i have the same problem in IOS/Android platform? or it is just for Browser platform? cause i didn't test it on other platform like android or IOS. I'm new in cordova.
thank you so much

@janpio
Copy link
Member

janpio commented Feb 25, 2019

You don't have to put *, adding it for the hostname in the error message should be enough.

This is a CORS problem, so you might have or not have the same problem on native platforms depending on how exactly the request is sent. Hard to predict, you best try it out.

@benitogf
Copy link

@salehmosleh think that you need to include connect-self on the security policy meta, including the host, something like: https://github.com/benitogf/hotpot/blob/master/client/src/index.pug#L8

@breautek
Copy link
Contributor

SEC7120: Origin http://localhost:8000 not found in Access-Control-Allow-Origin header.

Is stating that whatever server you're trying to access is being blocked because they have CORS enabled and you're server isn't the allowed origin. The server needs to send the Access-Control-Allow-Origin header with the value of http://localhost:8000 or use the * wildcard.

MDN has a good resource that explains everything you need to know about CORS. I've also written a blog post on this, while the subject is about iOS and the WKWebView... the CORS concept is still the same.

I'm closing this because this is not a bug with Cordova.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@janpio @benitogf @salehmosleh @breautek