Search code examples
amazon-web-servicesamazon-s3corsno-wwwpreflight

Access-Control-Allow-Origin error on AWS server when website is opened through www

In browser when I am opening my website by typing only mywebsite.com,the ajax request successfully hits my rest webservice. But when I type www.mywebsite.com,then I get error as-XMLHttpRequest cannot load http://mywebsite.com/path Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.mywebsite.com' is therefore not allowed access.

The Jquery ajax request is-

return $.ajax({ url: "http://mywebsite.com/path/", type: "POST",

The website is deployed on AWS server,and below are the CORS configuration

 <?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>DELETE</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
    <ExposeHeader>x-amz-request-id</ExposeHeader>
    <ExposeHeader>x-amz-id-2</ExposeHeader>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

I am unable to find the solution as why adding www creates problem.

Solution

  • It turns out your site isn't on Amazon S3, so I'm not sure why you showed an example of editing a CORS configuration on an S3 bucket.

    Your site is actually running on Apache Coyote on an EC2 server.

    The actual problem here is in your javascript. In the file MarketProfile.js you've got some strings sort of minimally obfuscated using hex.

    return $.ajax({url:"
\x68\x74\x74\x70\x3A\x2F\x2F\x62\x72\x65\x61\x6B\x69\x6E\x67\x74\x72\x61\x64
\x65\x2E\x63\x6F\x6D\x2F\x72\x65\x73\x74\x2F\x72\x65\x73\x74\x2F\x63\x6F\x6D
\x62\x69\x6E\x65\x64

    That's equivalent to this:

    http://breakingtrade.com/rest/rest/combined

    When you're loading this from the main web site, it's not cross-origin. When you're loading it from the www site, it's a cross-origin request, because the hostname is different.

    Fixing this should be as simple as making url be a simple absolute path, specifying only '/rest/rest/combined' for this string, rather than including 'http://breakingtrade.com' at the beginning of the string.

    Otherwise, you'll need to figure out how to make your server or at least this particular resource return CORS headers... but if you do that, of course, you'll want to be selective in which origins you allow, unless you want other people using your server to add data to their web sites (which could happen much more easily if you allow just any site to make a cross-origin request).