Why are sometimes XMLHttpRequest blocked from CORS with my local IP address in access-control-allow-origin?
Question
Since a few days I'm getting sometimes in my browsers the error
Access to XMLHttpRequest at 'https://websiteB.com/file.zlip' from origin 'https://websiteA.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'http://192.168.0.200' that is not equal to the supplied origin.
As I understand usually SOP (Same Origin Policy) is valid and can bypassed by CORS in the way that all participants are informed. This concerns only dynamic server request like XHR.
My aim is to use data from websiteB in websiteA. Therefore I saved a.htacces in the root of websiteB.
RewriteEngine on
RewriteBase /
# allow request from multiple domains (domain1.com|domain2.com|...)
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(websiteA.com)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
</IfModule>
The point is that this error occurs only sometimes. I always clear completely the cache from the browsers before I test.
Results from Mozilla Firefox:
Response header
HTTP/2 200 OK
date: Mon, 31 Aug 2020 12:31:55 GMT
server: Apache
etag: "1d1cf8-58ffd72bc6380"
last-modified: Tue, 13 Aug 2019 10:53:18 GMT
content-length: 1907960
access-control-allow-origin: http://192.168.0.200
age: 698
accept-ranges: bytes
strict-transport-security: max-age=15768000
X-Firefox-Spdy: h2
Request header
GET /file.zlip HTTP/2
Host: websiteB.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Origin: https://websiteA.com
Connection: keep-alive
Referer: https://websiteA.com/
TE: Trailers
As I understand in access-control-allow-origin should be websiteA.com, how is it possible that there is my IP-Adresse from my local.network? Is there a way to clear the header before sending it?
Update: I just found that if I deselect in the browse debug mode the enable "http cache" it works correctly. So I inserted in my website
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
and in my .htaccess
<IfModule mod_headers.c>
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
</IfModule>
but nothing helped. Has anyone an idea what's going wrong here?
1 answers
solution1
-1 2020-08-31 14:41:42
This is because your CORS header does not match the origin.
From your response header:
access-control-allow-origin: http://192.168.0.200
From your request header:
Origin: https://websiteA.com
Since http://192.168.0.200 is not https://websiteA.com it is a CORS violation and the browser rightfully blocks the request. The correct CORS header for the response should be:
access-control-allow-origin: https://websiteA.com
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.