Click here to Skip to main content
15,793,535 members
Please Sign up or sign in to vote.
3.00/5 (2 votes)
I came across an error on getting the url meta data by using Angular JS with ajax.

The error statement is:

XMLHttpRequest cannot load No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

var app = angular.module('myapp', []);
  function ($scope,$http){      
            var details = [
        .error(function (data, status, headers, config) {
            $scope.error = " - Something went wrong with your code....";

What I have tried:

$http.get('', function (res) {
              res.header("Access-Control-Allow-Origin", "*");
              res.header("Access-Control-Allow-Headers", "X-Requested-With");

Reference: access to specific domain only.
Updated 9-Feb-17 1:33am

The site you are trying to access doesn't want you accessing it from your own javascript, there is nothing you can do about this.
Share this answer
The code from the blog post you linked to needs to be used on the remote server being requested, not in the client making the request.

The cross-origin restrictions are there to prevent malicious code from making unauthorised requests to remote resource. If it was possible for the client to override the restrictions, then they wouldn't provide any protection, and there would be no point in having them.

For example, imagine you've logged in to your bank's site. They set some cookies to keep you logged in. Without the restrictions, any other site you visit could make a cross-origin request to your bank's site to transfer money from your account to a hacker's account. Because the request was sent from your browser, it would include the cookies that keep you logged in, and the request would succeed.

The solution is to create a "proxy" service on your server. Requests made from the server will not include or have access to any of the client's cookies for the remote site, so the cross-origin restrictions do not apply.

Your script would then call the proxy service on your site, which would not be a cross-origin request. The proxy service would make the network request, and return the relevant results to the page.
Share this answer
Jon McKee 9-Feb-17 15:52pm    
+5'd, well said! Just wanted to point out CORS is only gonna save you against some CSRF attacks and other methods like STP should also be considered depending on need. OWASP CSRF Cheat Sheet.
But i have tried on my own web page its not restricted to get those details when I tried the same with php I got those details by curl functions.
Share this answer
F-ES Sitecore 9-Feb-17 4:46am    
Your own page isn't restricted as you have not put restrictions in place, whereas this site has, and you can use php and curl as those are not ajax calls and this is an issue with ajax security.
Richard Deeming 9-Feb-17 6:23am    
If you want to ask a question or add a comment, use the "Have a Question or Comment?" button under the solution you're replying to.

Do not post your comment as a new "solution".

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900