Meteor: Accessing a website from the client with HTTP.get (CORS error)

Question

I can access the (secure) website without problems when I run the HTTP.get and HTTP.post commands from the server, using headers to identify myself via a cookie and with the required credentials. I'm using the HTTP package.

However I want the same to happen from the client itself. Here's the code on the client side:

HTTP.get('https://www.securewebsite.com/login1.php', {
    timeout: 30000,
    headers: {
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Upgrade-Insecure-Requests": "1",
        // "DNT": "1",
        "Accept-Language": "en-US,en;q=0.8,de;q=0.6"
        // 'Accept-Charset' : 'utf-8',
        // "Cookie": cookie
    }
}, function (err, res) {
    if (err) {
       // some error handling code
    } else {
       // doing something with res
    }
});

I had to comment out the Accept-Charset , DNT and cookie headers as they were flagged as insecure. Error message eg for DNT: Refused to set unsafe header "DNT" (same for other headers)

However even then I get OPTIONS shown in the browser inspector (Chrome) and the following error message shows up:

XMLHttpRequest cannot load https://www.securewebsite.com/login1.php. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 501.

Please note than https://www.securewebsite.com/login1.php is just an example, not the real website I'm calling. You can try http://www.awest.de/ as a real example. As seen from the error message I'm currently calling it from local.

Any idea how I can achieve this? Am I missing some specific header? I've tried other URL's as well (including my own webspace) but I get the same error message, so it doesn't has anything to do with the URL I'm trying to GET from. It seems more a browser issue where it wants to stop some x-script execution (if I understand it correctly from what I read).

To explain why I want to access it from the browser: I don't want to violate the server's policy and thus requests should come from the clients IP-address and not my servers IP-address. I'm using two apps, one is just hosting the client side code and a second one is hosting only server side code.

Thanks for your help in advance, appreciated!

Answer 1

Looks like problem with cors. Try the headers inside php/js script (back-end/cors):

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');
header("Access-Control-Allow-Headers: X-Requested-With");