Project

General

Profile

Support #8151

XMLHttpRequest error

Added by Alex Fedorov 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
02/26/2021
Due date:
% Done:

0%

Estimated time:

Description

I'm trying to add my Wt-based widget to an existing HTML page. I create and start a local server with default configuration file on my laptop and call

"hello.exe --http-address=127.0.0.1 --http-port=8080 --deploy-path=/hello --docroot=."

in html I write this:
///////////////////////////////////////////////////////////////////////////////////////////////////
....

<!-- End hidden fields for Wt's internal path API -->

<!--
We need a place holder for every widget to which we want to bind
a WContainerWidget in Wt
-->

<!--
As the last step, we load our application.
-->

///////////////////////////////////////////////////////////////////////////////////////////////////

The browser can't show my embedded widget with the following error:

Access to XMLHttpRequest at 'http://localhost:8080/hello.js?wtd=i7XwnllcOtORsO7n&wtt=widgetset' from origin 'null' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

How to fix it?


Files

config.jpg (31 KB) config.jpg Alex Fedorov, 02/26/2021 09:26 PM
#1

Updated by Korneel Dumon 5 months ago

Have a look at the <allowed-origins> option in wt_config.xml. There is also some documentation there about CORS and widget-set mode.

#2

Updated by Alex Fedorov 5 months ago

This is my configuration file:



*



I still see this error:
"Access to XMLHttpRequest at 'http://127.0.0.1:8080/hello.js?wtd=y4PonNz6Ak4t0MdI&wtt=widgetset' from" origin 'null' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute."
Option "
" in config file recommended in your documentation doesn't work.

If I remove forced origin renaming in your core everything works fine:
//if (isEqual(origin, "null"))
//origin = "*";

What's the reason of this origin renaming in your library? How to fix it without library code changing?

#3

Updated by Alex Fedorov 5 months ago

#4

Updated by Korneel Dumon 5 months ago

Which browser are you using? When I try it, the Origin header is 'http://localhost:8080', I am wondering how you get a value of 'null'.

I think the reason we don't return null is because it is discouraged by the w3c:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null

Also available in: Atom PDF