WebFaction
Community site: login faq

I have an error similar to the following:

Origin http://mydomain.com is not allowed by Access-Control-Allow-Origin.

What methods are available to overcome this type of error?

asked 06 Nov '12, 23:52

ryans ♦♦
5.0k93260
accept rate: 43%

edited 01 Jul '13, 02:18


The simple answer to your question is to add this header to his server's response:

Access-Control-Allow-Origin: http://mydomain.com

If you are using cookies, you also need to add this (as well as turning on withCredentials in your ajax request):

Access-Control-Allow-Credentials: true

That said, unfortunately the scope of the problem is actually larger than this, and the solutions above are not universal. None of these problems are exacerbated by WebFaction's platform; it's a central issue that the web community has been dealing with recently. Here's a summary of the main points which may prove useful:

(1) The appropriate way to deal with this issue is to use CORS (Cross-Origin Resource Sharing): http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

This is described in more detail here: https://developer.mozilla.org/en-US/docs/HTTP_access_control

Currently, the only web browsers that really support CORS are Firefox, Chrome, and Internet Explorer 10. Opera and older versions of IE don't support CORS.

(2) In order to avoid cross-browser complexity, people usually just use JSONP, which jQuery makes very easy. You just set dataType:"jsonp" in the ajax function call.

However, JSONP works by injecting <script> tags into the document dynamically, which works everywhere. However, it uses an eval() method on the client side to do so, and that can be insecure if you do not control the server that you are making requests to. CORS is considered to be much more secure than JSONP, so use CORS where possible because security is unwaveringly an issue of utmost priority in application development.

On top of that, JSONP can only issue GET requests (not POST, etc) because it is implemented via <script> tags.

(3) A popular compromise to avoid JSONP is to use CORS, and in the browsers that don't support it, fall back to doing everything over a single domain. For many applications falling back to a single domain is a significant performance bottleneck, because browsers typically throttle the number of simultaneous open connections per domain.

(4) Another method that is popular, but introduces possible security problems and the same performance bottleneck mentioned above, is to implement a front-end proxy on a domain which then internally forwards to your various domains. It's simple, but like JSONP, I wouldn't recommend it except as a last resort.

Hope that helps!

permanent link

answered 06 Nov '12, 23:57

ryans ♦♦
5.0k93260
accept rate: 43%

edited 01 Jun '13, 18:59

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×4
×3
×1

question asked: 06 Nov '12, 23:52

question was seen: 7,643 times

last updated: 01 Jul '13, 02:18

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM