apache 2.4 – “CORS Multiple Origin Not Allowed” – using parse-server and apache2

I am using apache2 as a reverse proxy for my parse-server. In order to allow Cross Origin Requests I originally tried setting:

Header always set Access-Control-Allow-Origin "*"

in the apache config file together with:

ProxyPass /parse/ http://localhost:1337/parse/
ProxyPassReverse /parse/ http://localhost:1337/parse/
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 (R=200,L)

After setting this, the requests were successfully forwarded from apache to my parse-server. However now my Webapp throws CORS Multiple Origin Not Allowed.

In the developer console of my browser I can see that this Access-Control-Allow-Origin option is set twice.

enter image description here

I have confirmed that the second instance of this appears due to parse-server. However I can not find a way to either prevent parse-server or apache from setting this option in the response.

I tried changing my initial line in the apache config to:

1.

Header always setifempty Access-Control-Allow-Origin "*"
Header always add Access-Control-Allow-Origin "*"
Header always add Access-Control-Allow-Origin "*"
Header always edit Access-Control-Allow-Origin "^$" "*"

None of these tries changed anything. However removing the Access-Control-Allow-Origin option in the apache config prevents the initial request from getting through to parse-server, so this is not an option.

I am using apache2 version 2.4.29 and parse-server 4.10.3.

Does anyone know a way to get this to work?

owasp – CORS without Access-Control-Allow-Credentials

I’m testing a web application and burp detected this issue:
Cross-origin resource sharing: arbitrary origin trusted

Looking at the response, I only see this header:
Access-Control-Allow-Origin: https://www.evil.com

Considering the lack of this header set to true in the response:
*Access-Control-Allow-Credentials: true *
can I consider this vulnerability a false positive?

Thanks a lot!

how to determine CORS Browser state

How do I determine the current CORS “state” in different browsers?
I have for example a case where two different Access-Control-Allow-Origin headers are set, and I want to know which one applies now.

Usually I read through the specification in such cases, but I was unable to find this specific case.
Additionally the specification does not always match the implementation right?
How can I approach such a problem?

Error 405 en Angular aun habilitando CORS

Tengo habilitado CORS y los metodos http en startup.cs:

public void ConfigureServices(IServiceCollection services)
        {
            services.AddCors(options =>
            {
                options.AddPolicy(name: MyAllowSpecificOrigins,
                                  builder =>
                                  {
                                      builder.WithHeaders("*");
                                      builder.WithOrigins("*");
                                      builder.WithMethods("*");
                                  });
            });
            services.AddCors(); // Make sure you call this previous to AddMvc
            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
            // services.AddResponseCaching();
            services.AddControllers();
            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ValidIssuer = Configuration("JWT:Issuer"),
                    ValidAudience = Configuration("JWT:Audience"),
                    IssuerSigningKey = new SymmetricSecurityKey(
                        Encoding.UTF8.GetBytes(Configuration("JWT:ClaveSecreta"))
                    )
                };
            });
            services.AddMvc();
            string mySqlConnectionStr = Configuration.GetConnectionString("Default");
      services.AddDbContext<gestionContext>(options =>
            options.UseMySql(mySqlConnectionStr, ServerVersion.AutoDetect(mySqlConnectionStr)));
            services.AddControllers();

        } 

Pero obtengo :

HttpErrorResponse {headers: HttpHeaders, status: 405, statusText: “OK”, url: “https://localhost:44355/Cliente”, ok: false, …

Y tengo mi apiclienteservice.ts:

import { HttpClient, HttpHeaders } from '@angular/common/http';
import { Injectable } from '@angular/core';
import { Observable } from 'rxjs';
import {Response} from '../models/response';
import { cliente } from '../models/cliente';
const httpOption = {
 headers :new HttpHeaders({
   'Content-Type' : 'application/json'
 })
}
@Injectable({
 providedIn: 'root'
})
export class ApiclienteService {


 url: string = 'https://localhost:44355/Cliente';

 constructor(
   private http: HttpClient
   ) { 
   
 }
 getClientes():Observable<Response>{

   return this.http.get<Response>(this.url);
   
 }
 add(cliente:cliente): Observable<Response>{
   return this.http.post<Response>(this.url,cliente,httpOption);
 }
 edit(cliente:cliente):Observable<Response>{
   return this.http.put<Response>(this.url,cliente,httpOption);
 }
 delete(id:number):Observable<Response>{
   return this.http.delete<Response>(`${this.url}/${id}`);
 }
}

Cors Error when generating access token for SharePoint point online from a JavaScript application

Any help is much appreciated. I’m trying to save data from a html form to a list in SharePoint online. I’m using SharePoint REST API to add items to the list. Ajax call to generate access token is throwing cors error.

$.ajax({
url: "https://accounts.accesscontrol.windows.net/tenant_id/tokens/OAuth/2",
type: "POST",
data: JSON.stringify({
"grant_type": "client_credentials",
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"resource": "00000003-0000-0ff1-ce00-000000000000/site_url@tenant_id"
}),
headers: {
"contentType": "application/x-www-form-urlencoded",
},
success: function() {},
error: function() {}
})

Note: This code returns an access token in postman. If I use that access token in SharePoint REST Api, I’m able to add data to list. So the challenge is generating access token from my javascript application instead of Postman.
I can’t use MSAL as I don’t want to register my app in Azure AD. I don’t want a temporary fix like using a chrome extension to fix cors error or modifying rewrite rules in IIS.

I’m new to SharePoint, so any insights on alternate approaches would also be helpful.

javascript – problema com o CORS

Estou desenvolvendo uma api para uma plataforma de educação, e dai
criei as minhas rotas privadas e públicas. As publicas são para
criação e validação de token, para ai usar ele para acessar as rotas
privadas, porém o Cors, por algum motivo, está bloqueando as
requisições nas rotas privadas,não dando block nas rotas,mas sim na
requisição que o server faz. queria saber o que poderia ser isso,
aqui vai o code co arquivo de rotas:

const routes = express.Router()
const {save,get,getById} = require('../api/user')
const {saveCategory,removeCategory,getCategory,getCategoryById,getTree} =require('../api/category')
const {saveArticles,removeArticles,getArticles,getArticlesById,getArticlesByCategory} =require('../api/articles')
const {signin,validateToken} = require('../api/utils/auth')
const {authenticate} =require('./passport')

routes.post('/signup',save)
routes.post('/signin',signin)
routes.post('/validateToken',validateToken)

routes.route('/users')
        .all(authenticate)
        .post(save)
        .get(get)

routes.route('/users/:id')
        .all(authenticate)
        .get(getById)
        .put(save)

routes.route('/categories')
        .all(authenticate)
        .get(getCategory)
        .post(saveCategory)
   
        // Rota tree deve vir antes de categories/id     

routes.route('/categories/tree')
        .all(authenticate)
        .get(getTree)

routes.route('/categories/:id')
        .all(authenticate)
        .get(getCategoryById)
        .put(saveCategory)
        .delete(removeCategory)


routes.route('/articles')
        .all(authenticate)
        .get(getArticles)
        .post(saveArticles)

routes.route('/articles/:id')
        .all(authenticate)
        .get(getArticlesById)
        .put(saveArticles)
        .delete(removeArticles)        
        
routes.route('/categories/:id/articles')
        .all(authenticate)
        .get(getArticlesByCategory)






module.exports =routes```

E esse daqui é aonde eu chamo o cors:


```const express =require('express')
   const app = express()
   const bodyParser =require('body-parser')
   const consign = require('consign')
   const db = require('./config/db')
   const routes = require('./config/routes')
   const cors =require('cors')



//app.use(cors)
//app.db=db
app.use(bodyParser.json())
app.use(routes)```
  
 O método que da block, e chama o service de autenticação é o .All()

Dai se vc tirar o metódo All(),as rotas voltam ao normal.

javascript – Desahabilitar CORS Laravel 8

quiero dehacerme de los CORS entiendo la seguridad y todo eso ,pero a mi no me sirve en este caso, llevo tratandolo toda la semana y nada, he intentado de todas las formas posibles pero no me deja.

Todo el rato restringido por CORS y todo eso, quiero desahilitarlo por completo, que dea acceso libre a mi sistema.

TODAS LAS FORMAS DE INTENTO

bootstrap.php , api.php

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, POST, GET, OPTIONS, DELETE, *");

Middleware

  public function handle($request, Closure $next)
  {
    return $next($request)
      ->header("Access-Control-Allow-Origin", "*")
      ->header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE")
      ->header("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, X-Token-Auth, Authorization"); 
  }

cors.php

<?php

return (

    /*
    |--------------------------------------------------------------------------
    | Cross-Origin Resource Sharing (CORS) Configuration
    |--------------------------------------------------------------------------
    |
    | Here you may configure your settings for cross-origin resource sharing
    | or "CORS". This determines what cross-origin operations may execute
    | in web browsers. You are free to adjust these settings as needed.
    |
    | To learn more: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
    |
    */
    'paths' => ('api/*','api/admin/*'),
    'allowed_methods' => ('POST', 'GET', 'DELETE', 'PUT', 'OPTIONS', '*'),
    'allowed_origins' => ('*', '*', '*','*, *', '*, *, *', '*'),
    'allowed_origins_patterns' => (),
    'allowed_headers' => ('X-Custom-Header', 'Upgrade-Insecure-Requests', 'csrftoken', 'x-csrf-token', 'CSRFToken', 'X-CSRF-TOKEN','Access-Control-Allow-Origin','content-type', 'accept', '*'),
    'exposed_headers' => ('x-custom-response-header'),
    'max_age' => 0,
    'supports_credentials' => false,
);

Parece que es cuando la peticion es con un usuario logueado, si el usuario no esta logueado no ocurre ese problema,

$(document).ready(function () {
    $.post(web + "/api/admin/all").then(res => {
        Object.keys(res).forEach((key, pos) => {
            try{
                $("#" + key).val(key == "ptep" ? eval(res(key)):res(key));
            }catch(er){
                console.log(er);
            };
        });
    });
});

javascript – Is CORS a subject to consider for webpack 5’s new ‘module federation’ feature? Why or why nort?

Webpack 5 has enabled a feature for a ‘shell’ to load js chunks from other origins. Why does this not trigger CORS issues? I assume the same reason tags can access other domians without triggering CORS?

Assuming that is correct and now we have a chunk from origin ‘remote’ sitting in our ‘shell’ (federated). Now if that chunck accesses endpoints (FETCH, GET, PUT, POST, etc) from a diiferent origin from the shellthen that will trigger CORs, correct? Why not? If this is true this does add architectural complexity to the notion of module-federation and micro-frontends. Thoughts appreciated!

How to protect from CORS Proxy

With CORS Proxy we can bypass CORS restriction using CORS Proxy. Which can strip away X-Frame-Options and Same Origin restriction. This can impact Account compromise or click jacking.

Is there a way to protect both origin and front from CORS Proxy

  1. For origin i want it to be disabled to interact with any CORS Proxy

  2. For frontend i also want to disable CORS Proxy being injected in
    urls

spfx extensions – CORS and SP2019 on prem dev

I’m again trying my hands on some SPFx development on code downloaded from GitHub. As we are behind firewalls and they won’t open anything I have to use a local CDN for all my manifest files and what not.
Now some of the small devs i have done work fine but some of them i run into the CORS issue with the error below

enter image description here

Now one of the dev’s that i played with i did get to works with the below code as i did get some great help from this community

enter image description here

However when i try to do this on this latest dev below I can’t get it to work. Below is the full ts file and i just tried to enter the same code.

enter image description here

I’m a inhouse guy who got thrown into this because I like to tinker but I’m now in way over my head. If anyone has some time to help it would be great. The code that I started with for CORS is here