0

I'm manually constructing some XML to post to our server, I've validated the XML and it is valid and without error.

Here is my post:

$.ajax({
    type: 'POST',
    url: submitUrl,
    data: xmlString,
    dataType: 'text',
    beforeSend:function() {
        console.log(submitUrl);
    },
    success:function(data) {
        console.log(data);
    },
    error:function(error) {
        console.log(error);
    }
});

var xmlString is a text string containing XML, I can't post it publicly unfortunately but in essence it looks like:

var xmlString = '<?xml version="1.0" encoding="utf-8"?> ... '

The code is running on a web server, rather than locally, but all I seem to get is:

XMLHttpRequest cannot load <URL>. Origin <URL> is not allowed by Access-Control-Allow-Origin.

However the server is open not locked down to these types of requests so the post should be getting through however I get the above message each time.

Any ideas, things I can try, ways I can get better debug messages?

Improve this question
2
  • Is it possible that you're bresking the same origin policy with that request? Is the submit url on a differenr domain? Commented Jun 2, 2013 at 1:00
  • I don't think it's about open requests or closed or w/e. It's still cross domain request and it's not allowed. You should use JSONP technique for stuff like this. Or you do ajax request to your local php file then from that file you send xml string to new server and get back response and return to the ajax. Commented Jun 2, 2013 at 1:00

1 Answer 1

Reset to default
2

Your code is actually attempting to make a Cross-domain (CORS) request, not an ordinary POST.

Modern browsers will only allow Ajax calls to pages in the same domain as the source HTML page.

In other words, whenever the HTML page that tries to make an Ajax request is not on the same domain as the target URL, the browser won't make the call (as you'd expect). Instead, it will try to make a CORS request.

You say:

(...) the server is open not locked down to these types of requests (...)

Debugging it better: Take a look at the network transaction (request being sent and response received) going on between the page and the server. (In Chrome it is F12 + Network tab.) If you look closely, the POST is never sent. Instead, an OPTIONS request is. The browser expects that the response contains a Access-Control-Allow-Origin header with the domain URL where the HTML page is deployed in. The response for the OPTIONS does not come or does not have those headers. Your browser then concludes such access is not allowed and thus the error.

More on CORS:

Cross-origin resource sharing (CORS)1 is a mechanism that allows a web page to make XMLHttpRequests to another domain. Such "cross-domain" requests would otherwise be forbidden by web browsers, due to the same origin security policy.

To put it shortly, to perform a CORS request, your browser:

  • Will first send an OPTION request to the target URL
  • And then only if the server response to that OPTION contains the adequate headers (Access-Control-Allow-Origin is one of them) to allow the CORS request, the browse will perform the call (almost exactly the way it would if the HTML page was at the same domain).
    • If the expected headers don't come, the browser simply gives up (like it did to you).

How to solve it? The simplest way is to enable CORS (enable the necessary headers) on the server. If you don't have server-side access to it, you can mirror the web service from somewhere else, and then enable CORS there.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.