I am getting the following CORS error when I am trying to make calls to my RESTful web services written in PHP ONLY when I am behind my corporate firewall.

Refused to connect to 'http://prx-9k-40-hadc/?cfru=aHR0cDovL2phY2tzb25uZy5wcm9qZWN0c2JpdC5vcmcvcGl6emFwbGFjZS9sb2dpbl9hZG1pbi5waHA/dXNlcmlkPWFkbWluJnBhc3N3b3JkPWFkbWlu' because it violates the following Content Security Policy directive: "connect-src 'self' data: gap: 'unsafe-eval' 'self' ws:".

This does not happen when I am not behind the corporate firewall (i.e. I am logging on from home and not connected through corporate VPN).

My content security policy is as follows:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap:   'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

And this is how I did my Ajax call:

$.ajax({
    url: url,
    type: 'GET',
    data: JSONObject,
    dataType: 'json',
    contentType: "application/json; charset=utf-8",
    success: function (arr) {
        _getLoginResult(arr);
    },
    error: function () {
        validationMsg();
    }
});

My headers in my PHP web service look like this:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header("Content-Type: application/json; charset=UTF-8");

Again, here are the symptoms:

Everything here works fine when I am NOT behind my corporate firewall, and not logged in to my pany through its VPN.

Once I am logged in the CORS error occurs and none of the settings changes that I attempted to make in the server, or setting changes to my content security policy changes anything.

I see that it says "refused to connect to http://prx-9k-40-hadc". This is definitely not the URL of my RESTful web services. It feels like my pany's proxy server.

Has anyone encountered this? I will like to be able to run my web services behind my corporate firewall.

I am getting the following CORS error when I am trying to make calls to my RESTful web services written in PHP ONLY when I am behind my corporate firewall.

Refused to connect to 'http://prx-9k-40-hadc/?cfru=aHR0cDovL2phY2tzb25uZy5wcm9qZWN0c2JpdC5vcmcvcGl6emFwbGFjZS9sb2dpbl9hZG1pbi5waHA/dXNlcmlkPWFkbWluJnBhc3N3b3JkPWFkbWlu' because it violates the following Content Security Policy directive: "connect-src 'self' data: gap: http://myurl. https://ssl.gstatic. 'unsafe-eval' 'self' ws:".

This does not happen when I am not behind the corporate firewall (i.e. I am logging on from home and not connected through corporate VPN).

My content security policy is as follows:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: http://myurl. https://ssl.gstatic. 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

And this is how I did my Ajax call:

$.ajax({
    url: url,
    type: 'GET',
    data: JSONObject,
    dataType: 'json',
    contentType: "application/json; charset=utf-8",
    success: function (arr) {
        _getLoginResult(arr);
    },
    error: function () {
        validationMsg();
    }
});

My headers in my PHP web service look like this:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header("Content-Type: application/json; charset=UTF-8");

Again, here are the symptoms:

Everything here works fine when I am NOT behind my corporate firewall, and not logged in to my pany through its VPN.

Once I am logged in the CORS error occurs and none of the settings changes that I attempted to make in the server, or setting changes to my content security policy changes anything.

I see that it says "refused to connect to http://prx-9k-40-hadc". This is definitely not the URL of my RESTful web services. It feels like my pany's proxy server.

Has anyone encountered this? I will like to be able to run my web services behind my corporate firewall.

• javascript
• php
• cordova
• cors

Share Improve this question Follow edited Nov 14, 2017 at 15:30 Racil Hilan 25.4k1313 gold badges5656 silver badges6161 bronze badges asked Nov 14, 2017 at 15:17 Jackson NgJackson Ng 37811 gold badge22 silver badges1616 bronze badges 0

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 5

I solved it. My corporate firewall was configured to strip access control headers it considers dangerous. Obviously it felt that this was dangerous if it isn't access via SSL.

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header("Content-Type: application/json; charset=UTF-8");

So all I did was made my RESTful service calls with https:// instead of http:// and all is fine.

I definitely didn't think this was the problem because less than a week ago, this firewall directive didn't exist.