No Access-Control-Allow-Origin

[workingDog]

Hi Bret,
thanks for sharing this work on a TAXII 2.0 server and especially the test server.

I'm starting a TAXII 2.0 javascript client library at: https://github.com/workingDog/taxii2lib

I'm having some problems when trying to connect to your test server. I get:

Failed to load https://test.freetaxii.com:8000/taxii/: Response to preflight request
doesn't pass access control check: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin 'http://localhost:8000'
is therefore not allowed access. The response had HTTP status code 405.
If an opaque response serves your needs, set the request's mode to 'no-cors'
to fetch the resource with CORS disabled.

I've tried many different headers and modes for my requests and also
browser (Chrome) settings on my part but to no avail. I just cannot get pass this.
Do you have any advice on how to overcome this?

Ringo

[jordan2175]

Are you using TLS 1.2? Bret

…

Sent from my Commodore 64 PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050

On Sep 14, 2017, at 2:18 AM, workingDog ***@***.***> wrote: Hi Bret, thanks for sharing this work on a TAXII 2.0 server and especially the test server. I'm starting a TAXII 2.0 javascript client library at: https://github.com/workingDog/taxii2lib I'm having some problems when trying to connect to your test server. I get: Failed to load https://test.freetaxii.com:8000/taxii/: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8000' is therefore not allowed access. The response had HTTP status code 405. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. I've tried many different headers and modes for my requests and also browser (Chrome) settings on my part but to no avail. I just cannot get pass this. Do you have any advice on how to overcome this? Ringo — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[workingDog]

I'm testing things now with the following simple html file in Chrome 61 on MacOs:

<!DOCTYPE html>
<html>
<head>
    <title>TAXII2</title>
    <meta charset="UTF-8">
  </head>
  <body>
    <div>Chrome-->View-->Developer-->Developer Tools</div>
    <div id="demo"></div>
<script>
function loadTaxii() {
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      document.getElementById("demo").innerHTML = this.responseText;
    }
  };
  xhttp.open("GET", "https://test.freetaxii.com:8000/taxii/", true);
  xhttp.setRequestHeader('Accept', 'application/vnd.oasis.taxii+json');
  xhttp.setRequestHeader('Content-type', 'application/vnd.oasis.taxii+json');
  xhttp.send();
};
loadTaxii();
</script>
 </body>
</html>

From my understanding of some of the comments on the net, the server has to be set to Access-Control-Allow-Origin.

[jordan2175]

From your example it looks like you are setting the Content-type to be application/vnd.oasis.taxii+json. But that is what the server would send you. You need to set the "Accept" header. For example, see the following curl commands. curl -H "Accept:application/vnd.oasis.taxii+json;" https://test.freetaxii.com:8000/taxii/ <https://test.freetaxii.com:8000/taxii/> curl -H "Accept:application/vnd.oasis.taxii+json;" https://test.freetaxii.com:8000/api1/ <https://test.freetaxii.com:8000/api1/> curl -H "Accept:application/vnd.oasis.taxii+json;" https://test.freetaxii.com:8000/api1/collections/ <https://test.freetaxii.com:8000/api1/collections/>

On Sep 14, 2017, at 17:51, workingDog ***@***.***> wrote: I'm testing things now with the following simple html file in Chrome 61 on MacOs: <title>TAXII2</title> Chrome-->View-->Developer-->Developer Tools <script> function loadTaxii() { var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("demo").innerHTML = this.responseText; } }; xhttp.open("GET", "https://test.freetaxii.com:8000/taxii/", true); xhttp.setRequestHeader('Accept', 'application/vnd.oasis.taxii+json'); xhttp.setRequestHeader('Content-type', 'application/vnd.oasis.taxii+json'); xhttp.send(); }; loadTaxii(); </script> From my understanding of some of the comments on the net, the server has to be set to Access-Control-Allow-Origin. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJk2GArqEX1DvLunk1dhStrGSU2Vv3cTks5sibvmgaJpZM4PXNi9>.

Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

[workingDog]

thanks for your reply. I removed the Content-type and tried a few other things, but no success yet.
Is the example html working for you?

[workingDog]

I've just dropped the html file in Safari, and it seems to be working. This problem of cross origin appear to be a Chrome problem.
Thanks for your help anyway.

[jordan2175]

It looks like I need to add some code like this for CORS. https://stackoverflow.com/questions/12830095/setting-http-headers I will look in to adding this in the next update.

[workingDog]

Hi Bret,

I'm writing a browser app for creating and sending STIX 2.1 objects to a TAXII-2.0 server at:
cyberstation

However I cannot get pass the "Access-Control-Allow-Origin" bug.
Currently I launch Chrome with "--disable-web-security --user-data-dir" and that works temporarily.
I updated Safari and now it has the same problem.

Is there any other ways to get around this while you work on a server side solution?

[jordan2175]

Will you have time to work on this live? I can make changes to the server and you can let me know if it works for you? We can chat via slack or skype, if either of those work for you.

[workingDog]

Hi Bret,

I've found a way around the 'Access-Control-Allow-Origin' problem.
I use the proxy server at: "https://cors-anywhere.herokuapp.com/"
This is really a temporary hack.

I've put a small html file: testfreetaxii.html at :

https://github.com/workingDog/cyberstation

If you drop this file on your browser it will show the problem.
As far as I know the server must respond with the appropriate
Access-Control-Allow-Origin header. Then it should work.

I've signed up to the Slack thing, it maybe a day or two before I
can spend time on it, live or otherwise. Note I'm in Tokyo.