Maybe you should try this? It works fine on my Apache server: Header always set Access-Control-Allow-Headers "Authorization, X-Requested-With, Content-Type, Accept, Origin" Use Access-Control-Allow-Headers instead of Access-Control-Request-Headers.

If you wish to load cross-origin images to a canvas, you need to either serve the image with cross-origin headers or under the same origin. That image under Facebook is served with the following header option set: Access-Control-Allow-Origin:* Meaning, it can be cross-origin loaded with the useCORS option. However, it would appear that your Host B isn't serving them with cross-origin headers set.

Provided the request is a 'simple method' (GET/HEAD/POST) and the headers are all 'simple headers', then the browser can follow the 'simple' steps for the request, which don't include an OPTIONS pre-flight.

The Problem The problem I was having was due to a setting in my Apache config file which looked like this: <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "*" </IfModule> In order to solve my particular problem I simple removed / commented out the above code as it was overriding the headers I sent from PHP. My implemented solution was then quite simple. In the following example we'll assume that I am making a call from one.example.com (the main website) to two.example.com (a sub-site). Kohana / PHP In my PHP I set the following headers, I've chosen to do this in my parent Controller. You could create your own Cors class or helper if you prefer. Basically you don't want to have this code duplicated hundreds of times throughout your project. $this->

Cross-sub-domain requests are still considered cross-domain requests as different sub-domains can point to entirely different IPs and servers. You'll definitely get errors if you don't set up CORS properly in your production setup. Edit: To properly emulate production setup, you'll need to play with the IIS binding configuration. If you can't get it working, you shall try a VM for hosting the api.hybridwebapp.com, which will definitely work as CORS is triggered automatically between different servers.

Pretty old question, but it's still open- so In case you didn't see this answer already, Mademoiselle Geek is spot-on. A quick double-check on my heroku app verifies that you can, in fact, just type https: instead of http: and it will accept an SSL connection automatically- no set up required. The only thing you do have to set up is in your Facebook.js.coffee- this section.. initializeFacebookSDK = -> FB.init channelUrl : 'http://app.heroku.com/page/fbchannel' Change to.. initializeFacebookSDK = -> FB.init channelUrl : 'https://app.heroku.com/page/fbchannel' Then, depending on your operating system (I use linux) do a quick grep search (or search the text of files within a directory) for http://app.heroku and change it to https, just to be safe.

I have found the answer to my problem. Initially, I was adding the header information to the Passenger web server via my sites-available/defaults file, and the Sinatra web service routes. Having set the CORS response headers in both places caused my response headers to have duplicate header information about the allowed origin, methods, etc. Once I removed the headers from the web server, and left them on the web service routes, my requests went through.

Well, that's the problem. Cross-origin restrictions do not allow you to communicate across ports without sending a Access-Control-Allow-Origin: * header. A better solution would be to use Nginx or some other webserver to reverse proxy those two running applications to the same domain and port.

You'd need to modify your GET request to be a JSONP request. How to make a JSONP request from Javascript without JQuery?

If you make the request using PHP running on your server then the request comes from you. If you make the request using JavaScript running in your visitor's browser, then the request comes from your visitor … with your visitor's identity … and your visitor's credentials … but the data would still be available to your code. If the browser let you access data from arbitrary websites, then you could access your visitor's private information on those sites. Access-Control-Origin allows a server to state that the data available for a given URI is not private, so JavaScript running on other sites is allowed to access it.

Put this in your JS: <script> jQuery.support.cors = true; $(document).ready(function(){ //stuff } </script>

Ended up using this code sample to address my issue. Thanks to everyone for the help! $.ajax({ type: "POST", xhr: (window.ActiveXObject) ? function() { try { return new window.ActiveXObject("Microsoft.XMLHTTP"); } catch(e) {} } : function() { return new window.XMLHttpRequest(); }, url: ajaxurl, data: post, beforeSend: function(){ }, success: function(returndata){ } });

You need to serialize service output using custom code. These links can help you: http://www.codeproject.com/Articles/43038/Accessing-Remote-ASP-NET-Web-Services-Using-JSONP JSONP & ASMX Web Service

You can do couple of things, crossdomain.xml well they didn't work well for me, there is HTML Header for it, I didn't remember, but the easiest thing I remember is to use getJSON method of Jquery or using JSONP, JSONP request are independent in these sense and works well for me thus far.

This won't work in all browsers, but depending on which version of JQuery you're using try: $.support.cors = true; Obviously this also depends on the headers of the server response.

That doesnt answer your question directly but its also a way to achieve what you're trying: You can use: /* java side: */ $.getJSON("URL?some_call_back_function=?", dataToPass, function(data){ // do whatever you like.. }); /* php side: */ if(isset($_GET['some_call_back_function']) && $_GET['some_call_back_function'] != ''){ $someJsonToReturn = array('Something'=> "something"); echo $_GET['some_call_back_function'].'('.json_encode($someJsonToReturn ).')'; } i hope that helps. i use that usually when i want cross domain. here is the jquery API for it: getJson API

The first warning is normal if the remote end does not set the correct Content-Type header for its JSONP output. It's just a warning, it causes no harm. If the second error is from trying to access the stackoverflow website then that error is simply because you're trying to throw HTML code at the JS interpreter. Note that a JSONP request must receive JSON in the form of a valid JS script. It won't work with any other type of input. For security reasons you cannot access other types of resource from other origins unless those resources send the appropriate Access-Control-Allow-Origin HTTP headers.

Your best bet is to create a REST/JSON service on your own web server that simply returns the remote results from Google's API. That way any cross-domain problems are avoided and you have more control over future changes to the API (you can for example reformat the content to suit your own nefarious uses:)).

You can force Google Chrome to not moan about Cross-domain-origin(s) Adding this flag --disable-web-security when running chrome will allow you to test successfully. I've added it to the target variable of my Chrome shortcut on my desktop like so: "C:Program Files (x86)GoogleChromeApplicationchrome.exe" --disable-web-security Hence everytime I start Chrome it automatically is started with this flag in place and I can test cross-domain ajax calls without any issues.

Not necessarily needed, Check the _self description window.open( strUrl, strWindowName[, strWindowFeatures]) strWindowName: "_self" -> opens in the Cordova WebView if strUrl is in the white-list, else it opens in the InAppBrowser "_system" -> always open in the system web browser "_blank" -> always open in the InAppBrowser

IIS (including the one in your Azure web site) has a default OPTIONS handler. You will need to remove it in Web.config. It answers the OPTIONS call before your message handler has an opportunity to respond. <configuration> ... <system.webServer> <handlers> <remove name="OPTIONSVerbHandler" /> ... </handlers> </system.webServer> </configuration>

You can set the appropriate headers using Snap's header manipulation functions.

When accessing web services from mobile website, they should either have access origin allow true set or jsonp enabled in php (much secure way). Since unlike the app, mobile website JavaScript would not have access to other domains through browsers. check these links: allow cross domain ajax requests

All MediaWiki API queries that can be executed as GET requests can also use POST. And I think the API module you want is action=parse. Something like: URL: http://en.wikipedia.org/w/api.php POST data: action=parse&text=your text

Apparently the browser first sends an OPTIONS request to find out if PUT (or DELETE) requests are allowed. Since I had not allowed the OPTIONS method in Access-Control-Allow-Methods it failed and so did the PUT request after in Firefox. Adding OPTIONS to Access-Control-Allow-Methods solved the problem: header('Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS');

I had a similar error where the JS error was: Blocked a frame with origin "https://www.youtube.com" from accessing a frame with origin "http://www.yourdomain.com". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http". Protocol/Protocols must match, YouTube has CORS (Cross Origin Resource Sharing) enabled to allow across domains. Try getting rid of the https:// in your YouTube iframe tag? You could also take a look at your closing iframe tags. Iframe tags are not singleton tags and must end with a </iframe> and not a />.

To satisfy CORS, you can host your images on a CORS friendly site like dropbox.com Then the security error will not be triggered if you speify image.crossOrigin="anonymous": var image=new Image(); image.onload=function(){ } image.crossOrigin="anonymous"; image.src="https://dl.dropboxusercontent.com/u/139992952/stackoverflow/colorhouse.png"; Here is code and a Fiddle: http://jsfiddle.net/m1erickson/4djSr/ <!doctype html> <html> <head> <link rel="stylesheet" type="text/css" media="all" href="css/reset.css" /> <!-- reset css --> <script type="text/javascript" src="http://code.jquery.com/jquery.min.js"></script> <style> body{ background-color: ivory; } #canvas{border:1px solid red;} </style> <script>

XMLHttpRequest and by that $.ajax in content scripts are limited by the same-origin policy/CORS. You'll either have to implement CORS on your localhost. (Not quite sure if CORS actually works in panels with a local URI, though...) Or use the request module. Using the request module will require some message passing between the lib script and the content script. Or wait for the new permissions introduced in Firefox-24.

Depending on which browser you're using, it might be an expected behaviour. Pretty much all browsers, given a local file path, try to open the file via file:// protocol. I know that WebKit treats the file:// protocol as unsafe (i.e. you can't make the AJAX requests to this protocol regardless of where the file actually is). Gecko allowed you for subdirectories last time I checked and I'm not sure about IE The best solution would be to access the files via http://localhost instead, as behaviour of HTTP protocol is much more reliable. Both in your JS code and when you open the page in the browser.

I was able to do this by extending UsernamePasswordAuthenticationFilter... my code is in Groovy, hope that's OK: public class CorsAwareAuthenticationFilter extends UsernamePasswordAuthenticationFilter { static final String ORIGIN = 'Origin' @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response){ if (request.getHeader(ORIGIN)) { String origin = request.getHeader(ORIGIN) response.addHeader('Access-Control-Allow-Origin', origin) response.addHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE') response.addHeader('Access-Control-Allow-Credentials', 'true') response.addHeader('Access-Control-Allow-Headers', request.getHeader('A

The second pram is targetOrigin, this is a security restriction to stop your message being intercepted. It should be set to the domain of the window the message is being sent to rather than the one it is coming from. Here's an example using an iframe to set the second field, that takes the src value from the iFrame and chops it down to being protocol + domain + port. Which is what is required to set target origin. var target = iframe.src.split('/').slice(0,3).join('/'); iframe.contentWindow.postMessage('foo', target);

How about keeping track of "searched but not found" searches in a DB table and the number of times they're searched in a separate field? This can be done very easily. But then you have to handle the difference in titles people will search for, or simply split them into words and keep track of the words only (ignoring grammatical propositions etc)

The MediaWiki API doesn't understand infoboxes. So, you have basically two options: Parse the infobox yourself. You can either parse the wikitext directly or the generated HTML table (both are available from the API). Let somebody else do the parsing. This is exactly what DBPedia does. Wikidata tries to do something similar, but it probably won't contain enough data to be usable for a long time; see growth statistics.

There is no need to use JSONP if you enable CORS. Access-Control-Allow-Origin: http://www.example.com if this header is set in the response, then normal XmlHttpRequest will be able to access the response as if it is like same domain. Check whether this header is set correctly. I hope that this link will help you if you are using jquery A CORS POST request works from plain javascript, but why not with jQuery? Update: Example var xmlhttp= new XMLHttpRequest(); var url="https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control"; xmlhttp.open("GET",url,false); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); xmlhttp.send(); Try this in any domain, you will get response. Upd

For any arbitrary request (given the mix of Amazon and Stack Overflow in the question), CORS may not be enough as it's actually the remote server that has to give the permission. For the 2nd request to succeed, stackoverflow.com would have to include relevant Access-Control-Allow-* headers in their responses that give your website permission to make the request. And whether those are included in the response or not is entirely up to Stack Exchange, in this case. Also, by including Access-Control-Allow-Origin: * in the response, you're actually allowing other websites to request your page from their origin. What you may need is a "proxy" script on your server. You can find a generalized solution from Ben Alman: http://benalman.com/projects/php-simple-proxy/ https://github.com/cowboy/

Confirmed: IE10 does not support CORS images in an HTML 5 canvas. See RReverser's answer for a workaround. Edit Sorry, I haven't dealt with CORS images before and thought this question was about an AJAX request. According to Mozilla Developer Network you need to set image.crossOrigin to anonymous or use-credentials. Also, according to that page today, these attributes are not supported in IE, Safari, or Opera. This test was made to demonstrate that IE9 did not support it and it seems that same test still fails in IE10, so even if Safari and Opera have added support since the MDN article was written, it is quite possible that IE10 still lacks support. The only tip I can give you is that in general, allow-credentials is incompatible with a wildcard allow-origin. Either drop the allow-c

AFAIU, SEC7118 is not an error but just a notification. I've googled but didn't find the code reference on any MS site; anyway you can find 7118 messages when CORS works fine for IE10. This document focused on CORS and IE10 clarify what I mean (and it's definitely worth reading): http://blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx Anyway, I've found your issue when troubleshooting some sort of nodejs chat (actually, a BOSH backed js chat client) on IE10. In my case turned out that IE10 prepends "NS1:" to some xml attributes when sending requests, breaking things up. So, you should carefully check your xml payload looking for subtle differences (like the one we found) between IE10 and other (working) browsers. Hope this helps.

This example works for me you may try this. public function getOwnlist(){ $images = User::with('images.category')->find(Auth::getUser()->getAttribute('id')); return Response::json($images, 200, array('Access-Control-Allow-Origin' => '*')); } Also, I highly recommend setting those on the constructor of your Controller Base instead of setting the headers in each response. Or you can create one only to serve API and extend from it. Should be something like: protected $response; // This is a global variable on you BaseController // This goes on your BaseController constructor $this->response = Response::make(); $this->response->headers->add(array('Access-Control-Allow-Origin', '*'); I found some issues with Cross Domain AJAX while using jQuery, it only works

If you cannot change the headers of the server, the only way to request it is to use jsonp. You can find more information about this here: What is JSONP all about?

I had a similar problem, at the end I just specified the focus hierarchy and took all control over focusing from java. It goes a little something like this: // Setting The FOCUS Order. Vector<Component> order = new Vector<Component>(7); order.add(projectNameJTextField); order.add(companyJTextField); order.add(orderedByJTextField); order.add(phoneJTextField); order.add(jRadioNormalPriority); order.add(jRadioHighPriority); order.add(jCheckBox1); order.add(jCheckBox2); order.add(jCheckBox3); order.add(jCheckBox4); order.add(jCheckBox5); order.add(jCheckBox6); order.add(textDetailJTextArea); order.add(technitianJComboBox); order.add(aproxTimeJTextField); order.add(sendButton); // Sending the costume foc