Monday, May 20, 2024
Homepage · jquery
 Popular · Latest · Hot · Upcoming
155
rated 0 times [  159] [ 4]  / answers: 1 / hits: 35250  / 12 Years ago, wed, december 19, 2012, 12:00:00

I've followed the following steps:




  1. Get the server to allow cross domain calls (with all the headers and stuff) This works

  2. Test the server with some cross domain calls This works

  3. Get the server to force a certificate This works

  4. Go to a file on the server with a browser, choose the right certificate and see the file Still works

    Now we get to the nice part

  5. Combine the cross domain calls with the certificate <-- this does not work



Problem



I am getting the certificate request from the browser, but when I select the same certificate as I do when using the browser, the call is made but I get a 403 Forbidden.



Code 



$.ajax({

     type: POST,

     xhrFields: {withCredentials: true},

     dataType: xml,

     contentType: text/xml; charset=utf-8,

     url: https://www.myOtherServer.com/testfile.asp,

});


Any ideas?



Edit



The Access-Control-Allow-Credentials: true and the Access-Control-Allow-Origin are properly configured.



Additional information



I'm starting to think that it has something to do with the content type. When I change it to text/html I get a 415 error, but I do really need to send xml because it is a SOAP server.



Response headers 



Access-Control-Allow-Cred...    true

Access-Control-Allow-Head...    Content-Type, Origin, Man, Messagetype, Soapaction, X-Test-Header

Access-Control-Allow-Meth...    GET,POST,HEAD,DELETE,PUT,OPTIONS

Access-Control-Allow-Orig...    https://www.mywebsite.com

Access-Control-Max-Age  1800

Cache-Control   private

Content-Length  5561

Content-Type    text/html; charset=utf-8

Date    Wed, 19 Dec 2012 15:06:46 GMT

Server  Microsoft-IIS/7.5

X-Powered-By    ASP.NET


Request headers



Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding gzip, deflate

Accept-Language nl,en-us;q=0.7,en;q=0.3

Access-Control-Request-He...    content-type

Access-Control-Request-Me...    POST

Cache-Control   no-cache

Connection  keep-alive

Host    myhoast.com

Origin  https://www.mywebsite.com

Pragma  no-cache

User-Agent  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0

More From » jquery
 Answers
27

My best guess is that this is a problem not with your Javascript but with your CORS configuration. Did you set up your server with the Access-Control-Allow-Credentials: true header? http://www.w3.org/TR/cors/#access-control-allow-credentials-response-header



Also note that, even when the allow-credentials header is set, the browser will not allow responses to credentialed requests if Access-Control-Allow-Origin is *, according to these docs: https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Requests_with_credentials.



Edit: Since the OP has the CORS headers set up properly, the problem seems to be that the server is rejecting OPTIONS requests with a 403 status code. OPTIONS requests (known as the preflight request) are sent before certain cross-domain requests (such as POSTs with application/xml content types), to allow the server to notify the browser of what types of requests are allowed. Since the browser doesn't see the 200 response that it expects from the OPTIONS request, it doesn't fire the actual POST request.


[#81327] Tuesday, December 18, 2012, 12 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
billtreytonb
Add To Favorites
Follow
Total Points: 211
Total Questions: 104
Total Answers: 114
Location: Sudan
Member since Tue, Aug 3, 2021
3 Years ago
;