-1

I'm making an ajax call from the domain "test.a.b.in" to "main.a.b.in". Action result method is defined in https://main.a.b.in/statusCheckFromExternalApp.htm.

I have already given the Referer as "https://test.a.b.in/" in main application while filtering allowed referers. And test application doesn't do such filters

I have to check the status details of the student from main application but it gives some error in browser as follows

Access to XMLHttpRequest at 'https://main.a.b.in/statusCheckFromExternalApp.htm' from origin 'https://test.a.b.in' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'http://main.a.b.in' that is not equal to the supplied origin.

Error in browser console:

POST main.a.b.in/statusCheckFromExternalApp.htm net::ERR_FAILED 200

Network details

Request URL: https://main.a.b.in/statusCheckFromExternalApp.htm
Request Method: POST
Status Code: 200
Referrer Policy: strict-origin-when-cross-origin

Response headers

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://main.a.b.in
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: application/json;charset=UTF-8

Request Header

Accept: application/json, text/javascript, /; q=0.01
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: keep-alive
Content-Length: 137
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: app.ktu.edu.in
Origin: https://test.a.b.in
Referer: https://test.a.b.in/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99

JS code

function checkPaymentStatusFromExternalApp() {
    
    var url =  "https://main.a.b.in/statusCheckFromExternalApp.htm" ;
    var data = {"username":"name","password":"pass"};
    
    $.ajax({
        type : "POST",
        url : url,
        data : {
            "pageAction" : "statusFromExternalApp",
            "authenticationFields" :data
        },
        dataType : "json",
        success : function(response) {
            if (response.success == false) {
                alert(response.errorMsg);
            } else {
                
                alert(response.successMsg);
            }
        }
    });
}

The actionResult method "statusFromExternalApp" is written in "statusCheckFromExternalApp" java page class and it returns json result.

Please provide a solution to get access to this statusFromExternalApp method in https://main.a.b.in/statusCheckFromExternalApp.htm

James Z
  • 12,104
  • 10
  • 27
  • 43
wisdom_seeker
  • 1
  • 2
  • Are you able to change response header of server which is belong to `main.a.b.in` domain? Because it's returning `Access-Control-Allow-Origin: http://main.a.b.in`. It might be like this `Access-Control-Allow-Origin: http://*.a.b.in` – halil ibrahim binol May 12 '22 at 06:55
  • @halilibrahimbinol No, I'm not able to edit the same. Is there parameters to be added with ajax call ? – wisdom_seeker May 12 '22 at 07:06
  • No. Browsers restrict cross-origin HTTP request. Cross-origin request are controlled by CORS. You can't send HTTP request that is not allowed to your domain in browser. You can ask the owner of `main.a.b.in` domain, to add `test.a.b.in` to `Access-Control-Allow-Origin` header. – halil ibrahim binol May 12 '22 at 07:17
  • @halilibrahimbinol I have already added "https://test.a.b.in/" referer which is shown in the request header in main.a.b.in domain. Also it shows the status code as 200. – wisdom_seeker May 12 '22 at 07:39
  • I can't relate between CORS and Referer. Yes, It would shows 200 status code but look at the error that browser throw. As chrome it would be like `Cross-Origin Resource Sharing error: MissingAllowOriginHeader` – halil ibrahim binol May 12 '22 at 07:50

0 Answers0