Geek Answers Handbook

CORS request before the flight "403 Forbidden"; subsequent request, then only send in Chrome

After a failure using pluploader in this question , I am trying FineUploader now.

After reading in CORS, I implemented various headers on my IIS6 server.

It looks like my script is launching the first ( preflight ) authorization request, which does not work, but Chrome allows the second ( standard ) request for sending anyway - Firefox does not. I suppose this is actually a bug on behalf of Chrome, but at least it allowed me to understand that my script is probably working correctly.

Here is the first (pre-flight) request, as shown in Chrome and FF:

 OPTIONS /frog/LOTS/upload/php.php HTTP/1.1 Host: staff.curriculum.local User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Origin: http://frogserver.curriculum.local Access-Control-Request-Method: POST Access-Control-Request-Headers: cache-control,x-requested-with Pragma: no-cache Cache-Control: no-cache

Access-Control... headers Access-Control... are the ones I added to IIS.

And here are my response headers:

 HTTP/1.1 403 Forbidden Content-Length: 1758 Content-Type: text/html Server: Microsoft-IIS/6.0 x-powered-by: ASP.NET Access-Control-Allow-Origin: http://frogserver.curriculum.local Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Cache-Control Access-Control-Allow-Methods: OPTIONS, GET, POST Access-Control-Expose-Headers: Origin, X-Requested-With Date: Mon, 22 Apr 2013 15:19:20 GMT

I tried to compare the two side by side, but I can not find the missing headers that would preflight request to return a 403 Forbidden error.

403 Forbidden

I did not include my PHP source as it has a lot of code. Suffice it to say that it works in Chrome and that the file is loaded correctly, so the script must be correct. The only thing worth mentioning is that I have a header("Content-Type: text/plain"); at the beginning of my script. Changing this parameter to text/html has nothing to do with Chrome and FireFox.

JavaScript is pretty simple:

 $('#jquery-wrapped-fine-uploader').fineUploader({ request: { endpoint: 'http://staff.curriculum.local/frog/LOTS/upload/php.php' }, cors: { expected: true, //all requests are expected to be cross-domain requests sendCredentials: true //if you want cookies to be sent along with the request } });

Can anyone help? I spent literally 8 hours on this one problem today, and I'm → <close to tearing my face .... !!

Thanks in advance,

+4
source share
2 answers

It took me a week, but I finally found the problem.

By default, IIS6 does not support the OPTIONS verb in .php files (or .asp (x), for that matter).

As such, it did not recognize the call at all before sending OPTIONS .

To change this value in IIS6, follow these steps:

  • In IIS Manager, navigate to the root website directory. Right-click it and select Properties
  • Go to the "Home Directory" tab, then click the "Configuration" button at the bottom
  • Find the appropriate script file extension with which you are trying to connect, for example .php or .asp, and click "change"
  • Add OPTIONS to the list of available verbs (now something like REQUEST, GET, POST, OPTIONS should be displayed)
  • Add the code below to your PHP script to determine the responses from IE

I could not get Internet Explorer to work without the following code in my PHP script:

 /* Is the request from Internet Explorer? */ if( !isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) || ( isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest" ) ) { /* If so, we need to send a UUID and iframe XSS response script... */ header("Content-Type: text/html"); /* This needs some extra security, for sure */ if( $result["success"] == "true" ) $result["uuid"] = $_POST["qquuid"]; echo htmlspecialchars(json_encode($result), ENT_NOQUOTES); echo "<script src='iframe.xss.response-3.4.1.js'></script>"; } else { /* Otherwise, we can just echo the json'd result */ echo htmlspecialchars(json_encode($result), ENT_NOQUOTES); }

I gave Ray Nicolos 50 points, although I did not find his method particularly useful, he was right all the time. However, for others looking at this post with a similar issue, I mark my answer as correct.

+2
source

As mentioned in my comments, this seems to be a problem with your server. For some reason, it rejects the original OPTIONS request. You will need to look at the logs of your server to find out why your server responds to this request with 403.

The user agent sends this initial request (before the flight). Fine Uploader does not send this request directly, the user agent sends it in accordance with the CORS specification . If you have specific questions about CORS, you can see my blog post on how Fine Uploader handles CORS, and / or you can read this excellent MDN article on CORS .

+5
source

More articles:


All Articles