Hi All,
I have my forum setup on forum.foo.bar. On foo.bar, I'd like to display the user's alerts, convos, etc.
I instantiate XF on foo.bar, and get the user's proper xfToken, and try to do a cross-domain ajax query
http://forum.foo.bar/account/alerts...estUri=/&_xfNoRedirect=1&_xfResponseType=json
However is gives me a 403. When I directly visit the same ajax URL on it's own, it displays the proper JSON. I'm calling xenforo.js on http://foo.bar to do it, with the proper data-contentSrc, data-contentDest, etc.
If anyone can help troubleshoot, my headers are:
I notice in calls from http://forum.foo.bar there is an X-Ajax-Referer in the headers. Could this be the issue? How do I go about adding it on http://foo.bar?
I have my forum setup on forum.foo.bar. On foo.bar, I'd like to display the user's alerts, convos, etc.
I instantiate XF on foo.bar, and get the user's proper xfToken, and try to do a cross-domain ajax query
http://forum.foo.bar/account/alerts...estUri=/&_xfNoRedirect=1&_xfResponseType=json
However is gives me a 403. When I directly visit the same ajax URL on it's own, it displays the proper JSON. I'm calling xenforo.js on http://foo.bar to do it, with the proper data-contentSrc, data-contentDest, etc.
If anyone can help troubleshoot, my headers are:
Code:
OPTIONS /account/alerts-popup?_xfToken=XXX&&_xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json HTTP/1.1
Host: forum.foo.bar
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Access-Control-Request-Headers: accept, x-ajax-referer
Access-Control-Request-Method: GET
DNT: 1
Origin: http://www.foo.bar
Referer: http://www.foo.bar/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
HTTP/1.1 403 Forbidden
Access-Control-Allow-Headers: accept, x-ajax-referer
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Origin: http://www.foo.bar
Cache-control: private, max-age=0
Content-Length: 293
Content-Type: application/json; charset=UTF-8
Date: Tue, 05 May 2015 02:54:45 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Tue, 05 May 2015 02:54:45 GMT
Server: lighttpd
Set-Cookie: xf_session=71c6f31ee58512aca7ec7739bd9326f0; path=/; domain=.foo.bar; httponly
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.3.29I notice in calls from http://forum.foo.bar there is an X-Ajax-Referer in the headers. Could this be the issue? How do I go about adding it on http://foo.bar?
