No 'Access-Control-Allow-Origin' header is present on the requested resource
663 views
Skip to first unread message
nielvanv...@googlemail.com
Nov 24, 2015, 2:52:54 PM11/24/15
to A gathering place for the Open Rail Data community
Hi
Apologies if there is already a thread on this topic. I have searched the group but not found anything that matches.
I have some JavaScript in my html page which uses XMLHttpRequest();
Today I learned about CORS which seems to be blocking me as I receive the following error in Chrome:
"XMLHttpRequest cannot load https://lite.realtime.nationalrail.co.uk/OpenLDBWS/ldb7.asmx. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access."
This is what I am trying to do but can't get any further.
<head>
<title>SOAP JavaScript Client Test</title>
<script type="text/javascript">
function soap() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.open('POST', 'https://lite.realtime.nationalrail.co.uk/OpenLDBWS/ldb7.asmx', true);
// build SOAP request
var sr =
'<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://thalesgroup.com/RTTI/2013-11-28/Token/types" xmlns:ldb="http://thalesgroup.com/RTTI/2015-05-14/ldb/">' +
' <soapenv:Header>' +
' <typ:AccessToken>' +
' <typ:TokenValue>my_token_removed</typ:TokenValue>' +
' </typ:AccessToken>' +
' </soapenv:Header>' +
' <soapenv:Body>' +
' <ldb:GetDepartureBoardRequest>' +
' <ldb:numRows>10</ldb:numRows>' +
' <ldb:crs>HYR</ldb:crs>' +
' </ldb:GetDepartureBoardRequest>' +
' </soapenv:Body>' +
'</soapenv:Envelope>';
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4) {
if (xmlhttp.status == 200) {
alert('Done. Check Console');
}
}
}
// Send the POST request
xmlhttp.setRequestHeader('Content-Type', 'text/xml');
xmlhttp.send(sr);
// send request
// ...
}
</script>
</head>
<body>
<form name="Demo" action="" method="post">
<div>
<input type="button" value="Soap" onclick="soap();" />
</div>
</form>
</body>
<html>
Is anyone else trying to do something similar? Maybe with the same results, or even better - a resolution?
Any advice is much appreciated.
Thank you.
Apologies if there is already a thread on this topic. I have searched the group but not found anything that matches.
I have some JavaScript in my html page which uses XMLHttpRequest();
Today I learned about CORS which seems to be blocking me as I receive the following error in Chrome:
"XMLHttpRequest cannot load https://lite.realtime.nationalrail.co.uk/OpenLDBWS/ldb7.asmx. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access."
This is what I am trying to do but can't get any further.
<head>
<title>SOAP JavaScript Client Test</title>
<script type="text/javascript">
function soap() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.open('POST', 'https://lite.realtime.nationalrail.co.uk/OpenLDBWS/ldb7.asmx', true);
// build SOAP request
var sr =
'<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://thalesgroup.com/RTTI/2013-11-28/Token/types" xmlns:ldb="http://thalesgroup.com/RTTI/2015-05-14/ldb/">' +
' <soapenv:Header>' +
' <typ:AccessToken>' +
' <typ:TokenValue>my_token_removed</typ:TokenValue>' +
' </typ:AccessToken>' +
' </soapenv:Header>' +
' <soapenv:Body>' +
' <ldb:GetDepartureBoardRequest>' +
' <ldb:numRows>10</ldb:numRows>' +
' <ldb:crs>HYR</ldb:crs>' +
' </ldb:GetDepartureBoardRequest>' +
' </soapenv:Body>' +
'</soapenv:Envelope>';
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4) {
if (xmlhttp.status == 200) {
alert('Done. Check Console');
}
}
}
// Send the POST request
xmlhttp.setRequestHeader('Content-Type', 'text/xml');
xmlhttp.send(sr);
// send request
// ...
}
</script>
</head>
<body>
<form name="Demo" action="" method="post">
<div>
<input type="button" value="Soap" onclick="soap();" />
</div>
</form>
</body>
<html>
Is anyone else trying to do something similar? Maybe with the same results, or even better - a resolution?
Any advice is much appreciated.
Thank you.
Peter Hicks
Nov 24, 2015, 3:00:10 PM11/24/15
to nielvanv...@googlemail.com, A gathering place for the Open Rail Data community
Hello
It's a really bad idea to put your authentication token in client-side Javascript - it means anyone can use it. The T&Cs of the Live Departure Boards API say that you must keep your token secret. I can think of a use case, however, where you are keeping the Javascript secret, e.g. it's on an embedded device you control - and this might be what you're doing.
I'll float the idea of enabling CORS on the service, but I can't guarantee it'll get adopted - but if you don't try, you can only fail!
Incidentally, have you looked at something like https://github.com/doedje/jquery.soap rather than constructing your SOAP body by hand? I've never done it, but it might get around the CORS issue.
Peter
--
You received this message because you are subscribed to the Google Groups "A gathering place for the Open Rail Data community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openraildata-t...@googlegroups.com.
To post to this group, send an email to openrail...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Iain McLaren
Aug 3, 2017, 3:55:58 AM8/3/17
to A gathering place for the Open Rail Data community, nielvanv...@googlemail.com
Hi,
I've developed a javascript live departure board client. It's in an embedded device, so I'm not leaking my token.
At the moment, the device's browser allows CORS, but it may be removed in a future release.
Was there any progress in adding the access-control-allow-origin header on the service?
Thanks,
Iain
Reply all
Reply to author
Forward
0 new messages