how to bypass Access-Control-Allow-Origin?

how to bypass Access-Control-Allow-Origin?

I’m doing a ajax call to my own server on a platform which they set prevent these ajax calls (but I need it to fetch the data from my server to display retrieved data from my server’s database).
My ajax script is working , it can send the data over to my server’s php script to allow it to process.
However it cannot get the processed data back as it is blocked by “Access-Control-Allow-Origin”
I have no access to that platform’s source/core. so I can’t remove the script that it disallowing me to do so.
(P/S I used Google Chrome’s Console and found out this error)
The Ajax code as shown below:
$.ajax({
type: “GET”,
url: “http://example.com/retrieve.php”,
data: “id=” + id + “&url=” + url,
dataType: ‘json’,
cache: false,
success: function(data)
{
var friend = data[1];
var blog = data[2];
$(‘#user’).html(“Friends: “+friend+”
Blogs:
“+blog);

}
});

or is there a JSON equivalent code to the ajax script above ? I think JSON is allowed.
I hope someone could help me out.

Related:  Video buffering in IE/Edge using Media Source Extensions

Solutions/Answers:

Solution 1:

Put this on top of retrieve.php:

header('Access-Control-Allow-Origin: *');  

Note that this effectively disables CORS protection, and leaves your users exposed to attack. If you’re not completely certain that you need to allow all origins, you should lock this down to a more specific origin:

header('Access-Control-Allow-Origin: https://www.example.com')

Solution 2:

Okay, but you all know that the * is a wildcard and allows cross site scripting from every domain?

You would like to send multiple Access-Control-Allow-Origin headers for every site that’s allowed to – but unfortunately its officially not supported to send multiple Access-Control-Allow-Origin headers, or to put in multiple origins.

You can solve this by checking the origin, and sending back that one in the header, if it is allowed:

$origin = $_SERVER['HTTP_ORIGIN'];
$allowed_domains = [
    'http://mysite1.com',
    'https://www.mysite2.com',
    'http://www.mysite2.com',
];

if (in_array($origin, $allowed_domains)) {
    header('Access-Control-Allow-Origin: ' . $origin);
}

Thats much safer. You might want to edit the matching and change it to a manual function with some regex, or something like that. At least this will only send back 1 header, and you will be sure its the one that the request came from. Please do note that all HTTP headers can be spoofed, but this header is for the client’s protection. Don’t protect your own data with those values. If you want to know more, read up a bit on CORS and CSRF.

Related:  Can I call $(document).ready() to re-activate all on load event handlers?

Why is it safer?

Allowing access from other locations then your own trusted site allows for session highjacking. I’m going to go with a little example – image Facebook allows a wildcard origin – this means that you can make your own website somewhere, and make it fire AJAX calls (or open iframes) to facebook. This means you can grab the logged in info of the facebook of a visitor of your website. Even worse – you can script POST requests and post data on someone’s facebook – just while they are browsing your website.

Be very cautious when using the ACAO headers!

Solution 3:

Warning, Chrome (and other browsers) will complain that multiple ACAO headers are set if you follow some of the other answers.

The error will be something like XMLHttpRequest cannot load ____. The 'Access-Control-Allow-Origin' header contains multiple values '____, ____, ____', but only one is allowed. Origin '____' is therefore not allowed access.

Try this:

$http_origin = $_SERVER['HTTP_ORIGIN'];

$allowed_domains = array(
  'http://domain1.com',
  'http://domain2.com',
);

if (in_array($http_origin, $allowed_domains))
{  
    header("Access-Control-Allow-Origin: $http_origin");
}

Solution 4:

I have fixed this problem when calling a MVC3 Controller.
I added:

Response.AddHeader("Access-Control-Allow-Origin", "*"); 

before my

return Json(model, JsonRequestBehavior.AllowGet);

And also my $.ajax was complaining that it does not accept Content-type header in my ajax call, so I commented it out as I know its JSON being passed to the Action.

Related:  Getting attribute of element in ng-click function in angularjs

Hope that helps.

Solution 5:

best would be to allow single domains, be careful about the http:// :

     header('Access-Control-Allow-Origin: http://www.foo.com', false);
     header('Access-Control-Allow-Origin: http://www.foo2.com', false));

Solution 6:

Have you tried actually adding the Access-Control-Allow-Origin header to the response sent from your server? Like, Access-Control-Allow-Origin: *?