Cordova can not access to AJAX

[salehmosleh]

i'm using Browser platform of Cordova, also i'm using cordova-plugin-whitelist and Content-Security-Policy tag into my html codes. but i get below error in console:

JQMIGRATE: Migrate is installed, version 3.0.0 
adding proxy for Device 
SEC7118: XMLHttpRequest for http://app.jpcomplex.com/appserver/?ios=1&username=&devid=1551073647241314 required Cross Origin Resource Sharing (CORS). 
index.html
SEC7120: Origin http://localhost:8000 not found in Access-Control-Allow-Origin header. 
index.html
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
index.html

here is my config.xml:

<?xml version='1.0' encoding='utf-8'?>
<widget id="io.cordova.hellocordova" version="1.0.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
    <name>HelloCordova</name>
    <description>
        A sample Apache Cordova application that responds to the deviceready event.
    </description>
    <author email="dev@cordova.apache.org" href="http://cordova.io">
        Apache Cordova Team
    </author>
    <content src="index.html" />
    <access origin="*" />
    <allow-navigation href="http://app.jpcomplex.com/*" />
    <allow-navigation href="*" />
    <allow-navigation href="http://*/*" />
    <allow-navigation href="https://*/*" />
    <allow-navigation href="data:*" />
    <allow-intent href="http://app.jpcomplex.com/*" />
    <allow-intent href="*" />
    <plugin name="cordova-plugin-x-toast" spec="^2.7.2" />
    <plugin name="cordova-plugin-dialogs" spec="^2.0.1" />
    <plugin name="cordova-plugin-nativestorage" spec="^2.3.2" />
    <plugin name="cordova-plugin-device" spec="^2.0.2" />
    <plugin name="cordova-plugin-whitelist" spec="^1.3.3" />
    <engine name="browser" spec="^5.0.4" />
    <engine name="android" spec="^7.1.4" />
    <engine name="ios" spec="^4.5.5" />
</widget>

and here is the meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

and here is my ajax request:

$.get("http://app.jpcomplex.com/appserver/",{ios:1,username:'test'},function(data){
    alert(data);
});

how can i fix it?

[janpio]

SEC7120: Origin http://localhost:8000 not found in Access-Control-Allow-Origin header.

Is localhost:8000 included in the Access-Control-Allow-Origin header?

[salehmosleh]

@janpio , hi, how can i do it ?

[janpio]

How you can find out if it is? Look at the server code generating the response. If you don't control the server, the response is most probably no, but you can check using your browser's dev tools's network panel where you can look at the headers of the response.

[salehmosleh]

@janpio ,I can use below header method in my php codes and it works fine but it does not secure! <?php header('Access-Control-Allow-Origin: *'); //for all ?> my question is: Do i have the same problem in IOS/Android platform? or it is just for Browser platform? cause i didn't test it on other platform like android or IOS. I'm new in cordova. thank you so much

[janpio]

You don't have to put *, adding it for the hostname in the error message should be enough.

This is a CORS problem, so you might have or not have the same problem on native platforms depending on how exactly the request is sent. Hard to predict, you best try it out.

[benitogf]

@salehmosleh think that you need to include connect-self on the security policy meta, including the host, something like: https://github.com/benitogf/hotpot/blob/master/client/src/index.pug#L8

[breautek]

SEC7120: Origin http://localhost:8000 not found in Access-Control-Allow-Origin header.

Is stating that whatever server you're trying to access is being blocked because they have CORS enabled and you're server isn't the allowed origin. The server needs to send the Access-Control-Allow-Origin header with the value of http://localhost:8000 or use the * wildcard.

MDN has a good resource that explains everything you need to know about CORS. I've also written a blog post on this, while the subject is about iOS and the WKWebView... the CORS concept is still the same.

I'm closing this because this is not a bug with Cordova.