No 'access Control Allow Origin Header Is Present On The Requested Resource.

When you are developing a web application that tries to access another domain using javascript for querying an API RestFUL, it common to get the following error:

This is a security protection on the browsers and it's an expected error.You can use XMLHttpRequest to receive and send data to remove server, but it's limited by the same origin policy. Same origin policy means that request can only be made to the same domain an not another one.

From origin 'has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The proper way to solve this issue is using Cross-Origin Resource Sharing (CORS).We are going to see in this tutorial how to fix the error 'Access-Control-Allow-Origin' header is present on the requested resource'.

We are not going to cover using JSONP or build a custom proxy, but those two are possible solutions.

First you need to understand CORS. The key point is that the other domain will add headers to the response and this will allow the browser to execute the XMLHttpRequest.You will need to make changes on the other server to add those response headers. Usually frameworks like Django or Flask supports CORS or is pretty easy to add those headers.

In the past doing a CORS request with javascript was tricky, today you can use axios or the mozilla Fetch API.We will cover some examples with different libraries

Vanilla javascript

Making CORS with jquery

You can use ajax function to make the request to another domain (which will have the appropiate headers). Note that the difference here is:

Full example on how to make a http request using CORS with jquery:

Using axios

Here is an example on how to make a CORS request using axios:

If the error continues to appear and your server is returning CORS headers on the response, make sure your server also answers to OPTIONS request.Axios first makes an OPTIONS request and if it fails it will not do any other request. It's common to just implement the GET or POST and backend developers usua;;y forgot about the OPTIONS.

Here we are making a CORS request using mozilla fetch API:

Sonic the Hedgehog 2, also known as Sonic 2. Sonic 3 & Knuckles Remastered. Regarding Sonic 3 Remastered. Taxman and Stealth's remastered Sonic 3 has several new exciting features. Taxman & Stealth have made a Sonic 3 prototype. Join the Campaign Fill in our campaign. We want to show Sega Networks that there is demand for a remastered version. Sonic the Hedgehog CD prototype 510, referred to as CD Sonic the Hedgehog on the title screen, is the earliest known prototype of the game Sonic the Hedgehog CD for Mega CD produced May 10th, 1992. Play Sonic 3 Y Knuckles Remastered Edition 32X Edition Download Video Game Roms Online! The 1994 classic Sonic The Hedgehog 3 & Knuckles is getting finally remastered after time and not being allowed by SEGA, i wanted to continue this great remaster with new content like a Knuckles and Tails mode, the prototype Drop Dash like move, select between the prototype, SK Collection and the original soundtrack and more. US Nov 20, 1993. EU Feb 24, 1994. JP May 27, 1994. Download Sonic the Hedgehog 3 (Nov 3, 1993 prototype) ( info, raw dump) A prototype of Sonic the Hedgehog 3 for the Sega Mega Drive. The Cutting Room Floor research. This prototype has a research article on TCRF. While the EPROMs have a date written on them, the header suggests the ROM might've.

As you ca see options set mode cors to make the CORS request.

• 3How can I participate?
  • 3.1At the HTTP Server level..
  • 3.2At the Web Application level..
    • 3.2.3In CGI Scripts
• 4Who is doing it already?

What is CORS about?

CORS is a specification that enables truly open access across domain boundaries.

Why is CORS important?

Currently, client-side scripts (e.g., JavaScript) are prevented from accessing much of the Web of Linked Data due to 'same origin' restrictions implemented in all major Web browsers.

While enabling such access is important for all data, it is especially important for Linked Open Data and related services; without this, our data simply is not open to all clients.

If you have public data which doesn't use require cookie or session based authentication to see, then please consider opening it up for universal JavaScript/browser access.

For CORS access to anything other than simple, non auth protected resources please see this full write up on Cross Origin Request Security.

How can I participate?

Granting JavaScript clients basic access to your resources simply requires adding one HTTP Response Header, namely:

The asterisk wild-card permits scripts hosted on any site to load your resources; listing a specific <base URI> will permit scripts hosted on the specified site -- and no others -- to load your resources.

This is compatible with both XHR XMLHttpRequest and XDR XDomainRequest, and is supported by all the major Web browsers.

(Note that it is not possible to grant access to multiple specific sites, nor use a partial wildcard match. It is also not possible to specify more than one Access-Control-Allow-Origin header.)

At the HTTP Server level..

Security Note: The examples given below assume a wild-card '*' domain for the Access-Control-Allow-Origin header. This is provided to simplify basic use of CORS, practically meaning 'I don't care how this is used.' In an intranet setting, this could lead to leakage of data beyond the intranet and therefore should be avoided. In a production setting, you should take advantage of the full features of the CORS specification to make sure it does express your actual security policy. That said, in a typical Open Data situation, the wild-card can be an appropriate use of CORS.

For Apache

Apache can be configured to expose this header using mod_headers. This is enabled by default in Apache, however you may want to ensure it's enabled in your deployment by running the following command:

To expose the header, you can add the following line inside <Directory>, <Location>, and <Files> sections, or within an .htaccess file.

You can use add rather than set, but be aware that add can add the header multiple times, so it's generally safer to use set.

Finally, you may need to reload Apache to make sure your changes have been applied.

For nginx

CORS can be enabled using the Headers core module which is compiled into nginx by default:

For IIS7

Merge this into the web.config file at the root of your application / site:

If you don't have a web.config file already, or don't know what one is, just create a new file called 'web.config' containing the snippet above.

For IIS6

1. Open Internet Information Service (IIS) Manager
2. Right click the site you want to enable CORS for and go to Properties
3. Change to the HTTP Headers tab
4. In the Custom HTTP headers section, click Add
5. Enter Access-Control-Allow-Origin as the header name
6. Enter * as the header value
7. Click Ok twice

For Jetty (7 and above)

Jetty 7 (starting with 7.0.0.RC2 to be exact) ships with a CrossOriginFilter. More information..

Include the jetty-servlets JAR into you WEB-INF/lib and merge this into your WEB-INF/web.xml:

The CrossOriginFilter can also be configured in the webdefault.xml to apply to all applications; the jetty-servlets JAR is already bundled within Jetty for this use-case.

It's a simple servlet filter and should be usable in other servlet containers, such as Tomcat, JBoss AS or Glassfish.

For OpenLink Virtuoso (Basic Web Sites, Linked Data Spaces, SPARQL Endpoints, and otherwise)

• Instance/server-level settings require Virtuoso Open Source (VOS) 6.1.3 or later, or Virtuoso Commercial Edition 06.02.3129 or later.
• For older versions of Virtuoso, you can use any of the Web Application-level instructions in the following section, including the Virtuoso-specific PL (VSP). More information..

1. Open up the Virtuoso Conductor's Virtual Home and Directory Admin UI
2. Set the CORS options on your target virtual directory via the Cross-Origin Resource Sharing field by entering: ' * ' or a space-delimited list of HTTP server URIs, e.g.,
   http://example.com:8080 http://blah.example.com http://foo.example.com
3. Optionally hatch Reject Unintended CORS check-box, and unmatched Origins (after any header re-writing by the application itself) will be receive an empty response.

For Apache Tomcat (7.0.41 and above)

Apache Tomcat (7.0.41 onwards) ships with a Cross Origin Resource Sharing filter. Please refer documentation for more information.

The minimal configuration required to use this filter is:

For more configuration options, refer configuration initialization parameters.

At the Web Application level..

If you can't configure the HTTP server, you can still add the necessary header through various hosting environments.

In ASP.NET

Add the the following line to your source pages.

This is compatible with IIS6, IIS7 Classic Mode, and IIS7 Integrated Mode.

In Plack Scripts

Install the Plack::Middleware::CrossOrigin module and enable it with:

There are also more advanced options available.

In CGI Scripts

Just output the line

as part of your CGI script's headers.

With Perl, using CGI.pm

With Python

In ExpressJS

In your ExpressJS app on nodejs, do the following with your routes

In PHP

Add the following line to your PHP scripts --

As with all uses of the PHP header function, this must be done before any output has been sent from the server.

Via VSP (Virtuoso Server Page)

You can implement CORS checking through Virtuoso's built-in HTTP functions http_request_header() and http_header(). This will work with any version of Virtuoso. For example --

In Java servlets

Simply add a header to your HttpServletResponse by calling addHeader:

Who is doing it already?

Platforms

• OntoWiki (Plugin Documentation)
• OpenLink Virtuoso (Virtuoso Open Source (VOS) 6.1.3 and later, and Virtuoso Commercial Edition 06.02.3128 and later)
• Talis Platform - coming soon

Services

• Uberblic - coming soon
• OpenStreetMap delivers map tiles with CORS headers
• Nokia Maps delivers map tiles with CORS headers

SPARQL Endpoints

• DBpedia and DBpedia-live

Toolkits

• RDF::LinkedData version 0.16 and later.
• dotNetRDF Version 0.4.0 and later unless explicitly disabled by user configuration
• JSON-LD module for Drupal 7

Data Sets

• bibliographica, a catalogue of cultural works
• data.gov and the new home of data.gov data
• DBpedia and DBpedia-live
• dig/csail - coming soon
• *.rkbexplorer.com which includes various data sets

Ontologies

• everything at ontologi.es and wiki.ontologi.es
• rdfs.org which includes SIOC, Resume-RDF and Likedis
• vocab.deri.ie, all ontologies
• W3C, all ontologies - coming soon

Who still needs to get on board?

Join our effort to enable CORS on the Web by requesting that your favorite website implement it. You can follow the progress of requests sent to popular services here. Don't hesitate to join the conversations linked here, and to list the requests you've made yourself!

• purl.org -- Please see the outstanding issue.
• vocab.org and open.vocab.org
• CloudMade -- A request has been made to add CORS headers to their Mass Downloads API.
• MapQuest -- A request has been made to add CORS headers to their Open Javascript Maps API.
• Twitter -- They're willing to add CORS where they support JSONP, see the related discussion.
• Twitpic -- They've 'talked about adding it in the future', but have closed the related ticket.
• Yfrog -- A request has been made to enable CORS on their API.

Who's not willing to get on board?

• Google Maps -- They won't add CORS to their API unless we find a valid use case that respect their terms of service. Offline use of maps is against section 10.1.3 of the TOS, see related discussion.