https://stackoverflow.com/questions/22594393
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianOrigin is considered an unsafe header by the Request object (source code)
This is why you cannot remove them; the Request implementation only allows you to remove or modify headers that are deemed safe.
How to remove request headers in HTTPS npm module
-
19-06-2023 - |
Pergunta
I'm trying to access Google API from localhost. Chrome says that it's impossible due to origin
XMLHttpRequest cannot load https://maps.googleapis.com/maps/api.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8000' is therefore not allowed access.
I'm using https-browserify to make ajax request.
options = {
hostname: "maps.googleapis.com",
port: 443,
path: "/maps/api/....",
method: "get",
headers: {
"Origin": null,
"Referer": null
}
};
result = null;
req = https.request(options, function(res) {
res.on("data", function(chunk) {
return result += chunk;
});
return res.on("end", function() {
debugger;
});
});
req.end();
But this didn't help. Origin and Referer headers are still there when making this request. How can I remove them?
Solução
Outras dicas
Google Maps API does have Access-Control-Allow-Origin.
I could quickly tested it using the below after loading a jquery on a localhost page, it works.
$.getJSON("https://maps.googleapis.com/maps/api/timezone/json?location=-33.86,151.20")
Check out the same origin policy in wikipedia or the mdn !
U should use an HTTP Sniffer like fiddler to analyse the request!
Then u should check if the Access-Control-Allow-Origin: * header is present! Your request can only work from a browser when this header is present on the response! So the server, in your case the google server, has to sent it! Google will usually do this on all public APIs for in-browser use. Since else there is no way to directly acces this URL via an AJAX request.
Its important to understand that the same origin policyis a browser feauture build by security reasons! So it does not affect u when u make the request from a non browser enviroment like node.js or any other server side programming enviroment! Also it does not affect u when u make the request directly via the browser, since its a limitation to AJAX requests, not generall every request.
There are ways to go around this limitation, so if u have to make a AJAX request to a server that dosnt sent the Access-Control-Allow-Originheader u can still proxy the request by your server!
Another work around is JSONP, but this does also support from the requested server!
Important note:
If in the Access-Control-Allow-Origin header is returned a origin instead of * the request is only possible as long you are on the origin returned by the server! So maybe the server is returning the productive origin, but denys localhost?
At least from google reCAPTCHA I know u can limitate a API Key to a specific origin. For development purposes normally google allows all requests from localhost, but maybe for any reason not in your case. The best way to check this is to analyse the HTTP traffic with an simple HTTP sniffer as said above!
Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
