How to avoid a CORS message while developing on a local machine

I am developing a web application, calling php services from a server. As during the development, my web application runs on my computer, calling a php service on a server would result in a CORS message. This can be avoided by defining access_control_allow_origin headers.

However, when trying to do this on the server of my customer, this doesn't seem enough, as that server gives a CORS message, which makes the development more complicated: either I have to move the php services from my customer to the server that doesn't give CORS messages or I have to debug the web application on my customer server.

I wonder why the php services on the server of my customer give these CORS messages, whereas the other server doesn't. In both cases, the php service is exactly the same, providing exactly the same headers.

I have attached a small application to demonstrate the problem, together with several screen shots showing results on both servers. (1.8 MB)

Here is the php file used in the small program:

<?php header('Access-Control-Allow-Origin: http://localhost:8000'); header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept'); header('Content-Type: text/xml; charset=utf-8'); function get_url_param($key) { // Get an URL parameter if(isset($_POST[$key])) return $_POST[$key]; if(isset($_GET[$key])) return $_GET[$key]; return NULL; } // get_url_param $param = get_url_param('param'); if (($param == NULL) || ($param == '')) { $param = 'no parameter received'; } print '<?xml version="1.0" encoding="UTF-8"?>';

print '';
print ' ' . $param . '';
print '';

As the formatting of this php file is not so good, I have added a screenshot:

I'm not a PHP expert at all.
Does it make a difference when you add:

//at the very begining of your php script.
header('Access-Control-Allow-Origin: *'); 

I tried both: the specific origin and '*'. The headers are currently at the beginning of the php script. However, on server A, I can also put them right before the first executable line, that is, after the function.

I use CORS with PHP without any problems but you have to access the PHP using HTTPS not HTTP.

I am accessing php using https:

The only http I see in this example is the first header in the php and as I mentioned in a previous reply, I get the same results when replacing that header by header('Access-Control-Allow-Origin: *');

So, can you explain where I should replace http by https?

Sorry. I just saw the first header which was http. Are the servers Windows. Apache or what?

The one causing the error (server B) is definitely a Windows server. The other (server A) is an Apache.

This is the web.config that works for me:

<?xml version="1.0" encoding="UTF-8"?>
                <rule name="EAP HTTPS" stopProcessing="true">
                    <match url="(.*)" />
                        <add input="{HTTPS}" pattern="^OFF$" />
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
                <add name="Access-Control-Allow-Origin" value="*" />
                <add name="Access-Control-Allow-Credentials" value="False" />
                <add name="Access-Control-Allow-Headers" value="Content-Type,Cache-Control" />
                <add name="Access-Control-Allow-Methods" value="GET,POST,HEAD,OPTIONS" />

Dear Sir,

The settings in web.config work indeed on the Windows server, but cannot be combined with the same headers in the php file. I guess there must be some conflict. However, this is not so important, as the settings you gave me solve my problem and consequently, you made my day. Thank you very much,

Michel Huybrechts
Micriconsult BV

Hi Michel,

I'm pleased that I could help.