AllowAccess issue even if my server has `Access-Control-Allow-Origin:*`

Question

I'm trying to get access to Box.com with their API, but any XHR that I perform my browser give me the follow Access-Control-Allow-Origin issue:

[Error] XMLHttpRequest cannot load https://www.box.com/api/oauth2/token. Origin http://localhost:8888 is not allowed by Access-Control-Allow-Origin. (localhost, line 0)

I use a easy python server that I found at this gist

It has (at line 44) this line of code self.send_header("Access-Control-Allow-Origin", "*") and then I think that it auld work correctly... Am I right?

This Is the code that generate the XMLHttpRequest:

this.getAccessToken = function(code) {
  var parameters = 'grant_type=authorization_code' +
    '&code=' + code +
    '&client_id=' + Box.client_id +
    '&client_secret=' + Box.client_secret;

  var xhr = new XMLHttpRequest();
  xhr.open('POST', 'https://www.box.com/api/oauth2/token');
  xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  xhr.setRequestHeader("Content-length", parameters.length);
  xhr.responseType = 'json';

  xhr.onReadyStateChange = function() {
    if (xhr.readyState == 4 && xhr.status == 200) {
      alert(xhr.response);
    }
  }

  xhr.send(parameters);
}

Answer 1

Before you can use a XHR/CORS request, you have to submit to Box support what your application does and why you need the exception. We do not allow * as the CORS "Access Control Allow Origin" entry. You have to tell Box the URL that you're going to pitch your stuff from.