Support #8151
openXMLHttpRequest error
0%
Description
I'm trying to add my Wt-based widget to an existing HTML page. I create and start a local server with default configuration file on my laptop and call
"hello.exe --http-address=127.0.0.1 --http-port=8080 --deploy-path=/hello --docroot=."
in html I write this:
///////////////////////////////////////////////////////////////////////////////////////////////////
....
<!-- End hidden fields for Wt's internal path API -->
<!--
We need a place holder for every widget to which we want to bind
a WContainerWidget in Wt
-->
<!--
As the last step, we load our application.
-->
///////////////////////////////////////////////////////////////////////////////////////////////////
The browser can't show my embedded widget with the following error:
Access to XMLHttpRequest at 'http://localhost:8080/hello.js?wtd=i7XwnllcOtORsO7n&wtt=widgetset' from origin 'null' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
How to fix it?
Files
Updated by Korneel Dumon about 3 years ago
Have a look at the <allowed-origins> option in wt_config.xml. There is also some documentation there about CORS and widget-set mode.
Updated by Alex Fedorov about 3 years ago
This is my configuration file:
*
I still see this error:
"Access to XMLHttpRequest at 'http://127.0.0.1:8080/hello.js?wtd=y4PonNz6Ak4t0MdI&wtt=widgetset' from" origin 'null' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute."
Option "" in config file recommended in your documentation doesn't work.
If I remove forced origin renaming in your core everything works fine:
//if (isEqual(origin, "null"))
//origin = "*";
What's the reason of this origin renaming in your library? How to fix it without library code changing?
Updated by Korneel Dumon about 3 years ago
Which browser are you using? When I try it, the Origin header is 'http://localhost:8080', I am wondering how you get a value of 'null'.
I think the reason we don't return null is because it is discouraged by the w3c:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null