Trying to display Alerts and Convo pop-up off-forum - CORS


Hi All,

I have my forum setup on On, I'd like to display the user's alerts, convos, etc.

I instantiate XF on, and get the user's proper xfToken, and try to do a cross-domain ajax query

However is gives me a 403. When I directly visit the same ajax URL on it's own, it displays the proper JSON. I'm calling xenforo.js on to do it, with the proper data-contentSrc, data-contentDest, etc.

If anyone can help troubleshoot, my headers are:

OPTIONS /account/alerts-popup?_xfToken=XXX&&_xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Access-Control-Request-Headers: accept, x-ajax-referer
Access-Control-Request-Method: GET
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36

HTTP/1.1 403 Forbidden
Access-Control-Allow-Headers: accept, x-ajax-referer
Access-Control-Allow-Methods: GET, POST, OPTIONS
Cache-control: private, max-age=0
Content-Length: 293
Content-Type: application/json; charset=UTF-8
Date: Tue, 05 May 2015 02:54:45 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Tue, 05 May 2015 02:54:45 GMT
Server: lighttpd
Set-Cookie: xf_session=71c6f31ee58512aca7ec7739bd9326f0; path=/;; httponly
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.3.29

I notice in calls from there is an X-Ajax-Referer in the headers. Could this be the issue? How do I go about adding it on


Hi Daniel - thanks for the reply.

I guess I'm just trying to mimic the way Xenforo does it. I'm having great difficulty figuring out the 403, so maybe loading via the models is the route to take. Now to spend another day figuring out that way :)