How can i disable Access-Control-Allow-Origin in my elixir phoenix project?
Thanks
You might use
2 Likes
For completenes along with @kokolegorilleâs response, you can also look at CORSPlug:
I prefer the documentation in Corsica though.
2 Likes
For example, where i need to add this?
add in endpoint.ex or other file?
Thanks
plug CORSPlug, origin: [âhttp://example1.comâ, âhttp://example2.comâ]
or
plug CORSPlug, origin: ~r/https?.*example\d?.com$/
It dependsâŠ
Do you want to apply those rules globally or only in certain pipeline like :api? If globally, yes, the endpoint.ex should be the file to go, if the later its whatever file you use to define your pipelines (usually the routes file).
But both is already explained in the documentation:
1 Like
anyone know how to solve this problem?
I set the command in endpoint.ex.
plug CORSPlug, origin: [âhttp://example1.comâ, âhttp://example2.comâ]
but check header response show origin null,
access-control-allow-origin ânull
How do you check?
Can you create a minified project and release it on github, which includes step necessary to recreate your problem and also explaing what you would expect to see instead?
What value are you sending in Origin header?
I use postman to check.(url: http://localhost:4000)
And create a new project and add the tutorial part.
testing project: https://github.com/Kseng/phoenix_test.git
Add this plug to mix.exs
{:cors_plug, â~> 1.5â},
and
Add this code to endpoint.ex
plug CORSPlug, origin: [âhttp://localhost:4000â, âhttp://localhost:4111â]
I hope to get this result, but current get origin null.
access-control-allow-credentials âtrue
access-control-allow-origin â http://localhost:4000,http://localhost:4111
As your code missed the part to check for the values, I did it myself and it seems to work for me:
curl -H "origin: http://localhost:4000" localhost:4211
[{"cache-control", "max-age=0, private, must-revalidate"}, {"vary", "Origin"}, {"access-control-allow-origin", "http://localhost:4000"}, {"access-control-expose-headers", ""}, {"access-control-allow-credentials", "true"}, {"x-frame-options", "SAMEORIGIN"}, {"x-xss-protection", "1; mode=block"}, {"x-content-type-options", "nosniff"}, {"x-download-options", "noopen"}, {"x-permitted-cross-domain-policies", "none"}]
git diff lib/crosproject_web/controllers/page_controller.ex
diff --git a/lib/crosproject_web/controllers/page_controller.ex b/lib/crosproject_web/controllers/page_controller.ex
index 546c3c2..7cfaddc 100644
--- a/lib/crosproject_web/controllers/page_controller.ex
+++ b/lib/crosproject_web/controllers/page_controller.ex
@@ -2,6 +2,7 @@ defmodule CrosprojectWeb.PageController do
use CrosprojectWeb, :controller
def index(conn, _params) do
- render conn, "index.html"
+ acao = inspect(conn.resp_headers)
+ text(conn, acao)
end
end
PS: you really should not put _build and deps under version controllâŠ
Hi NobbZ, Thanks for help.
- This command also same work for me.
curl -H âorigin: http://localhost:4000â localhost:4211
Output:
[{âcache-controlâ, âmax-age=0, private, must-revalidateâ}, {âvaryâ, âOriginâ}, {âaccess-control-allow-originâ, âhttp://localhost:4000â}, {âaccess-control-expose-headersâ, ââ}, {âaccess-control-allow-credentialsâ, âtrueâ}, {âx-frame-optionsâ, âSAMEORIGINâ}, {âx-xss-protectionâ, â1; mode=blockâ}, {âx-content-type-optionsâ, ânosniffâ}, {âx-download-optionsâ, ânoopenâ}, {âx-permitted-cross-domain-policiesâ, ânoneâ}]
- Add that code to my index and get result.
acao = inspect(conn.resp_headers)
text(conn, acao)
Output:
[{âcache-controlâ, âmax-age=0, private, must-revalidateâ}, {âvaryâ, âOriginâ}, {âaccess-control-allow-originâ, ânullâ}, {âaccess-control-expose-headersâ, ââ}, {âaccess-control-allow-credentialsâ, âtrueâ}, {âx-frame-optionsâ, âSAMEORIGINâ}, {âx-xss-protectionâ, â1; mode=blockâ}, {âx-content-type-optionsâ, ânosniffâ}, {âx-download-optionsâ, ânoopenâ}, {âx-permitted-cross-domain-policiesâ, ânoneâ}]
- Using javascript to test, get this error message.
Failed to load http://localhost:4211/: The âAccess-Control-Allow-Originâ header has a value ânullâ that is not equal to the supplied origin. Origin âhttps://localhost:4000â is therefore not allowed access.
Since curl with explicitely set headers works, I have to assume that your client does not set the correct headers when initiating the request.
OK. Thanks for help. I using postman and add header Origin:http://localhost:4000, Itâs working now.
Hi all, How to setting cors just allow api only? I am using CORS plug
Thanks.
You need to set up your CORS plug in router.ex or use a reverse proxy like NGINX.
router.ex
...
pipeline :public_api do
plug CORSPlug, origin: "*"
plug :accepts, ["json"]
end
...
scope "/public/v1", MyAppWeb, as: "public" do
pipe_through [:public_api, :public_api_v1_session]
scope "/temp" do
get "/", PublicAPI.V1.TempController, :webhook
post "/", PublicAPI.V1.TempController, :webhook
end
end
...
NGINX
server {
...
location /api {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
proxy_pass http://backend-api;
}
...
}
2 Likes
HI @pedromvieira ,
Thanks for help.
If i set cors in my route,then no need set in endpoint?
Yes. Your router / plug applies to all scope that uses that pipeline. You can set multiple scope with different pipelines and plug options.
OK.That great,I will try it.
Thanks
Basically, using ajax with local resources doesnât work.
Chrome and Safari has a restriction on using ajax with local resources. This error means that you are trying to perform Ajax on a local file. This is forbidden for security reasons.
In order to solve this problem, you can use firefox or upload your data to a temporary server. If you still want to use Chrome, start it with the below option;
--allow-file-access-from-files
Also, this kind of trouble is now partially solved simply by using the following jQuery instruction:
<script>
$.support.cors = true;
</script>
