Category Archives: accesscontrolexception

No ‘Access-Control-Allow-Origin’ header error testing application on local. (Slim + Phonegap App)

I have got a tiny server with Slim Framework (index.php):

$app = new \Slim\Slim();

$corsOptions = array(
    "origin" => "*",
    "exposeHeaders" => array("Content-Type", "X-Requested-With", "X-authentication", "X-client"),
    "allowMethods" => array('GET', 'POST', 'PUT', 'DELETE', 'OPTIONS')
$cors = new \CorsSlim\CorsSlim($corsOptions);


$app->post('/foo', function () use ($app) {
    echo "foo";

When I tried to attack the post method from my app (phone app) using Ionic (phonegap app) I obtain this message:

XMLHttpRequest cannot load http://MY_IP/~FOLDER/foo. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '' is therefore not allowed access. The response had HTTP status code 404.


$ + '/foo', {
                    data: ...
                        console.log("ERROR", err);

I tested these solutions found over Internet but no one works:

Use CorsSlim:

$corsOptions = array(
    "origin" => "*",
    "exposeHeaders" => array("Content-Type", "X-Requested-With", "X-authentication", "X-client"),
    "allowMethods" => array('GET', 'POST', 'PUT', 'DELETE', 'OPTIONS')
$cors = new \CorsSlim\CorsSlim($corsOptions);

Put this in .htaccess

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"

Put this on top of index.php

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: Content-Type');
header('Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS');

Use this after Slim creation:

$app->options('/(:name+)', function() use($app) {                  
    $response = $app->response();
    $response->header('Access-Control-Allow-Origin', '*'); 
    $response->header('Access-Control-Allow-Headers', 'Content-Type, X-Requested-With, X-authentication, X-client');
    $response->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
 }); in Tomcat with DISABLED SecurityManager

I have a web application written in Java using Apache Derby database in Tomcat 7. The exception will not occur on every call to the web application, but only after about 5 to 10 successful requests.

This is what happens (from my log):

The exception ' access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.

I run Tomcat 7 with Java 1.8.0_45 and the included Apache Derby Database. The exception occurs. Below is the exception.

at Source) at Source) at Source)

Tomcat is running with disabled SecurityManager, so i expect no exceptions at all.

Any ideas why this happens and what i can do about it?