I am getting the following CORS error when I am trying to make calls to my RESTful web services written in PHP ONLY when I am behind my corporate firewall.
Refused to connect to 'http://prx-9k-40-hadc/?cfru=aHR0cDovL2phY2tzb25uZy5wcm9qZWN0c2JpdC5vcmcvcGl6emFwbGFjZS9sb2dpbl9hZG1pbi5waHA/dXNlcmlkPWFkbWluJnBhc3N3b3JkPWFkbWlu' because it violates the following Content Security Policy directive: "connect-src 'self' data: gap: 'unsafe-eval' 'self' ws:".
This does not happen when I am not behind the corporate firewall (i.e. I am logging on from home and not connected through corporate VPN).
My content security policy is as follows:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
And this is how I did my Ajax call:
$.ajax({
url: url,
type: 'GET',
data: JSONObject,
dataType: 'json',
contentType: "application/json; charset=utf-8",
success: function (arr) {
_getLoginResult(arr);
},
error: function () {
validationMsg();
}
});
My headers in my PHP web service look like this:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header("Content-Type: application/json; charset=UTF-8");
Again, here are the symptoms:
Everything here works fine when I am NOT behind my corporate firewall, and not logged in to my pany through its VPN.
Once I am logged in the CORS error occurs and none of the settings changes that I attempted to make in the server, or setting changes to my content security policy changes anything.
I see that it says "refused to connect to http://prx-9k-40-hadc". This is definitely not the URL of my RESTful web services. It feels like my pany's proxy server.
Has anyone encountered this? I will like to be able to run my web services behind my corporate firewall.
I am getting the following CORS error when I am trying to make calls to my RESTful web services written in PHP ONLY when I am behind my corporate firewall.
Refused to connect to 'http://prx-9k-40-hadc/?cfru=aHR0cDovL2phY2tzb25uZy5wcm9qZWN0c2JpdC5vcmcvcGl6emFwbGFjZS9sb2dpbl9hZG1pbi5waHA/dXNlcmlkPWFkbWluJnBhc3N3b3JkPWFkbWlu' because it violates the following Content Security Policy directive: "connect-src 'self' data: gap: http://myurl. https://ssl.gstatic. 'unsafe-eval' 'self' ws:".
This does not happen when I am not behind the corporate firewall (i.e. I am logging on from home and not connected through corporate VPN).
My content security policy is as follows:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: http://myurl. https://ssl.gstatic. 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
And this is how I did my Ajax call:
$.ajax({
url: url,
type: 'GET',
data: JSONObject,
dataType: 'json',
contentType: "application/json; charset=utf-8",
success: function (arr) {
_getLoginResult(arr);
},
error: function () {
validationMsg();
}
});
My headers in my PHP web service look like this:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header("Content-Type: application/json; charset=UTF-8");
Again, here are the symptoms:
Everything here works fine when I am NOT behind my corporate firewall, and not logged in to my pany through its VPN.
Once I am logged in the CORS error occurs and none of the settings changes that I attempted to make in the server, or setting changes to my content security policy changes anything.
I see that it says "refused to connect to http://prx-9k-40-hadc". This is definitely not the URL of my RESTful web services. It feels like my pany's proxy server.
Has anyone encountered this? I will like to be able to run my web services behind my corporate firewall.
I solved it. My corporate firewall was configured to strip access control headers it considers dangerous. Obviously it felt that this was dangerous if it isn't access via SSL.
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header("Content-Type: application/json; charset=UTF-8");
So all I did was made my RESTful service calls with https:// instead of http:// and all is fine.
I definitely didn't think this was the problem because less than a week ago, this firewall directive didn't exist.