Category Archives: access-control

Why are there Two Access-Control-Allow-Origins defined in my response header?

I am trying to develop a weather forecast site, and tested it for about 10 days which worked fine until today.

But today I am getting this error:

XMLHttpRequest cannot load (SOME_URL). The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Origin 'http://localhost:63342' is therefore not allowed access. Picture of the error Here is the response header:

HTTP/1.1 200 OK
Server: openresty
Date: Mon, 18 Jan 2016 12:09:48 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 442
Connection: keep-alive
X-Cache-Key: /data/2.5/weather?lat=17.39&lon=78.49&units=metric
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST

As we can see in the response header, two Access-Control-Allow-Origins are being displayed, and I don't understand what is causing the problem, as I don't have much idea regarding this kind of problems. If you would like to see the live version of my website, here's the link www.weatherion.com . I don't have any configuration files on my server, so please tell me exactly how could I solve this problem.

XMLHttpRequest cannot load (some url). The ‘Access-Control-Allow-Origin’ header contains multiple values ‘*, *’, but only one is allowed

I am using an Apache Server, and my website is a weather forecast website Weatherion.com. It worked fine till now but all of a sudden it shows up error as XMLHttpRequest cannot load (some url). The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Origin (some url) is therefore not allowed access. How do I solve this up, as I only have a .htaccess file on my hosting server? Why does it happen all of a sudden, as it was working fine earlier?

Propagate user access right from an authentication web page to other html only web pages on the server?

I want to create a web page, that will serve to authenticate users based on credentials I give them (user1, pswd1 etc).
Only after a user authenticated, he should have access to a few other web sites, on different folders of the web server, but which have no server side code
(otherwise it would be simple.)
The user should be allowed access to the other sites, e.g. based on his IP,
for 24 hours or another period, or while he has the authentication site open on his browser.
The purpose if that the user will not have to enter credentials on each site, and will enter his credentials only once, or once a day.

Restrictions:

    I don't want to modify the target web site javascript code at all, e.g. to query a web service.
    The user should be granted access using any browser, so I assume I cannot use cookies.

If I would develop such a mechanism on Apache,I could, for example, have the authentication site PHP code add a line "Allow from ip" to the htaccess file of each target web folder, whenever a user authenticated successfully.

The issue is that I don't want to develop it as I am sure a solution already exists, and also I need a similar mechanism for both Apache and node.js (although i can live with two different solutions)

elasticsearch.js client connection refused: Access-Control-Allow-Origin not recognized?

I've been trying to ping a locally running elasticsearch using elasticsearch.jquery.min.js and I get a "no living connection" error each time.


ETA: In Chrome I see what looks like a pretty low level "Connection Refused". I'm developing on MacOS X, and my browser points at the page via http://localhost/~myuserid/SiteName/. As I'm accessing localhost:9200 this clearly falls under cross domain CORS requirements.

I see the following error in the Chrome console:

XMLHttpRequest cannot load http://localhost:9200/?hello=elasticsearch!.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost' is therefore not allowed access.

Per http://enable-cors.org/server_apache.html I've added the following to /etc/apache2/httpd.conf:

<Directory />
    Header set Access-Control-Allow-Origin "localhost:9200"
    AllowOverride none
    Require all denied
</Directory>

and run

$ sudo apachectl -t
$ sudo apachectl -k graceful

but the error persists. Is there another setting I'm overlooking?


I'm a noob to elasticsearch.js. Is there anything I need to do on the elasticsearch side to allow client connections from the browser, or something?

I'm following the book in my ping attempt:

var client = new $.es.Client({
  hosts: 'localhost:9200'
  });

client.ping(
  {
    requestTimeout: Infinity,
    // undocumented params are appended to the query string
    hello: "elasticsearch!"
    },
  function (error) {
    if (error) {
      console.error('elasticsearch cluster is down!');
      console.error(error);
    } else {
      console.log('All is well');
      }
    }
  );

but I'm getting the following error(s):

"WARNING: 2015-10-10T07:00:16Z"        elasticsearch.jquery.min.js:14:10575
  Unable to revive connection: http://localhost:9200/

"WARNING: 2015-10-10T07:00:16Z"        elasticsearch.jquery.min.js:14:10575
  No living connections

I can connect using curl on the command line just fine, pull and insert data, etc.:

$ curl "localhost:9200/_cat/indices?v"
health status index             pri rep docs.count docs.deleted store.size pri.store.size 

green  open   fuddle              1   0          3            0     12.9kb         12.9kb                                                
green  open   faddle              1   0          0            0       144b           144b 



ETA additional diagnostics. Google Chrome shows the following network traces for the failing attempt. At the HTTP layer the response looks like it's happening.

General
  Remote Address:[::1]:9200
  Request URL:http://localhost:9200/?hello=elasticsearch!
  Request Method:HEAD
  Status Code:200 OK
Response Headers
  Content-Length:0
  Content-Type:text/plain; charset=UTF-8
Request Headers
  Accept:text/plain, */*; q=0.01
  Accept-Encoding:gzip, deflate, sdch
  Accept-Language:en-US,en;q=0.8
  Connection:keep-alive
  Content-Length:0
  Host:localhost:9200
  Origin:http://localhost
  Referer:http://localhost/~browsc3/Opticon/
  User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Query String Parameters
  view URL encoded
  hello:elasticsearch!

The same request in wget:

wget http://localhost:9200/?hello=elasticsearch!
--2015-10-10 09:47:13--  http://localhost:9200/?hello=elasticsearch!
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:9200... connected.
HTTP request sent, awaiting response... 200 OK
Length: 342 [application/json]
Saving to: 'index.html?hello=elasticsearch!'

index.html?hello=elastics 100%[=====================================>]     342  --.-KB/s   in 0s     

2015-10-10 09:47:13 (65.2 MB/s) - 'index.html?hello=elasticsearch!' saved [342/342]

I'm really at a loss where to go from here. I see lots of references to the error on teh googlz, but none of the circumstances seem remotely similar. It feels like I'm just hitting some misconfiguration, but I can't find anything that would indicate what that is.

Allow access to url from one IP

Trying to use htaccess to allow access to a url by one ip address only. There are a couple stackoverflow posts on the subject that I followed to no avail.

 RewriteCond %{REMOTE_ADDR} !^123\.45\.45\.6
 RewriteCond %{REQUEST_URI} http://sub.domain.com/thatThing [NC]
 RewriteRule ^(.*)$ http://sub.domain.com [R=307,L]

So my understanding of this is: 1. If the request does not come from this IP address 2. If the requested URL is http://sub.domain.com/thatthing 3. Redirect to the home page

When I test this, the page http://sub.domain.com/thatthing is available from any IP. I even tried proxy's to be sure. Is there some syntax thing I'm missing?

Thanks in advance.

Allow access to url from one IP

Trying to use htaccess to allow access to a url by one ip address only. There are a couple stackoverflow posts on the subject that I followed to no avail.

 RewriteCond %{REMOTE_ADDR} !^123\.45\.45\.6
 RewriteCond %{REQUEST_URI} http://sub.domain.com/thatThing [NC]
 RewriteRule ^(.*)$ http://sub.domain.com [R=307,L]

So my understanding of this is: 1. If the request does not come from this IP address 2. If the requested URL is http://sub.domain.com/thatthing 3. Redirect to the home page

When I test this, the page http://sub.domain.com/thatthing is available from any IP. I even tried proxy's to be sure. Is there some syntax thing I'm missing?

Thanks in advance.

Access-Control-Allow-Origin Issue

I have the following in my .htaccess located in http://cdn.example.com

Header add Access-Control-Allow-Origin "http://example.com"

When I go to my site it works fine and allows me to grab from my CDN.

BUT A user of my site just pointed out to me that when you go to www.example.com (www. before site name) it wont load font files. I tried adding another header add but it then says theres 2 values and it just goes for only one of them (example.com)

I have no idea how to fix this I generally want a way to fix this from htaccess and not from a php file.

Localhost No ‘Access-Control-Allow Error on Live site

I'm getting this error on my live site (hosted on GoDaddy) when I'm trying to make a http get call to an API.

The 'Access-Control-Allow-Origin' header has a value 'http://localhost' that is not equal to the supplied origin.

Why does it think the header has a localhost value when I'm not even running this on my local server? The weird thing is that it happens on and off (sometimes it's able to call the API and get the data without the error, other times, it's not and gives that error.