monsur / test-cors.org Goto Github PK

Using a wildcard ("*") in Access-Control-Allow-Origin Header bears special meaning within the CORS specification.

It would be interesting to be able to play with this option, notably to check the behaviour of different browsers.

For example,
adding an "Allow Origin" field in the "Local" Server part,
with an option to "mirror" the requesting origin,
or to specify a text field where we can put a specific value, including the wildcard "*".

Hi,

The CORS spec requires preflight requests that use the HTTP method OPTIONS.

This page, and the JS generated by it, attempts to use the HTTP method OPTION. But there is no such HTTP method and this is not a correct CORS preflight request.

If the user is using the XDomainRequest object (i.e. they are visiting from IE8 or IE9), the options should be in line with what is supported in XDomainRequest. For example, only GET/POST methods are supported, and request headers can't be set. Also show a warning message to let the know about the limitations.

When the user tries to directly set the Content-Type header, it gets renamed to Content_Type by App Engine. Look into properly setting the Content-Type header.

Add a page that demonstrates making CORS requests via JQuery. Also include snippets of the jquery code for making the CORS request.

It is not clear to me how to generate a preflight check?

nice work!

Hi, I'm using a url shortener (custom hosted Yourls). When I do a GET, I get an error

How do I see what's the issue.

Sending GET request to https://xxx.com/test
Fired XHR event: loadstart
Fired XHR event: readystatechange
Fired XHR event: error

XHR status: 0
XHR status text:
Fired XHR event: loadend

Why does this dump the output directly? Shouldn't this list the origins allowed and the various capabilities?

Hello, good morning. How are you

If you can help me

I accessed the following service

http://www.test-cors.org/#?client_method=GET&client_credentials=false&server_url=http%3A%2F%2Fhom.vivo.ddivulga.com%2Ftrk%2Fc%3FadvId%3D1460%26impressionId%3D6c9dda44-bfd9-43e8-ae43-b544ab2099d4%26pageId%3D650602%26track%3Dtrue%26eventType%3Dvast%26url%3Dhttps%3A%2F%2F00px.net%2Fvpaid%2FeyJjciI6Njc0MDMsImNhIjo0MDI5LCJwbCI6NTE5Mjl9%2Fvpaid.xml%3Fduration%3D30%26skip%3Dfalse%26width%3D640%26height%3D360&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote

But when entering the URL the error is returned

Access to XMLHttpRequest at 'http://hom.vivo.ddivulga.com/trk/c?advId=1460&impressionId=6c9dda44-bfd9-43e8-ae43-b544ab2099d4&pageId=650602&track=true&eventType=vast&url=https://00px.net/vpaid/eyJjciI6Njc0MDMsImNhIjo0MDI5LCJwbCI6NTE5Mjl9/vpaid.xml?duration=30&skip=false&width=640&height=360' from origin 'http://www.test-cors.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

You know how to tell me how to solve the situation

It'll be great if there was an option to send the request with/without the Referrer header:

https://stackoverflow.com/a/32014225

meta.name = "referrer";
meta.content = "no-referrer";
document.getElementsByTagName('head')[0].appendChild(meta);```

The non-www versions of this website are returning 404.

I added a header to my request, but it's not showing at all in the network tab of chrome's dev tools. It's also not showing on my server. I'm trying to add:
auth: somerandomlettersandnumbers
and I have a ": " between the key and value, and no quotes.

Getting 500 error when running the test

Request URL: https://server.test-cors.org/server?id=3125318&enable=true&status=200&credentials=false
Request Method: GET
Status Code: 500
Referrer Policy: strict-origin-when-cross-origin

It seemed unclear to me, after enter a URL, whether the answer was yes or no.

Fired XHR event: loadstart
Fired XHR event: readystatechange
Fired XHR event: progress
Fired XHR event: error

XHR status: 0
XHR status text:
Fired XHR event: loadend

Should I understand that Cors is enabled on my server or not?

Please provide a solution to this

when I click "local" and then click "enable cors" check box I would assume "Access-Control-Allow-Origin" would be added to the headers and looks to still fail.

No matter what I set Enable CORS to, I always see the above.

It would be nice to test the behavior of CORS and redirects. But App Engine doesn't allow explicitly setting the "Location" header. Need to add some code to help test redirects in an App Engine friendly way: https://developers.google.com/appengine/docs/python/tools/webapp/redirects

Compile the corsclient.js code.