1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trying to display Alerts and Convo pop-up off-forum - CORS

Discussion in 'XenForo Development Discussions' started by robart, May 5, 2015.

  1. robart

    robart Member

    Hi All,

    I have my forum setup on forum.foo.bar. On foo.bar, I'd like to display the user's alerts, convos, etc.

    I instantiate XF on foo.bar, and get the user's proper xfToken, and try to do a cross-domain ajax query

    http://forum.foo.bar/account/alerts...estUri=/&_xfNoRedirect=1&_xfResponseType=json

    However is gives me a 403. When I directly visit the same ajax URL on it's own, it displays the proper JSON. I'm calling xenforo.js on http://foo.bar to do it, with the proper data-contentSrc, data-contentDest, etc.

    If anyone can help troubleshoot, my headers are:

    Code:
    OPTIONS /account/alerts-popup?_xfToken=XXX&&_xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json HTTP/1.1
    Host: forum.foo.bar
    Accept: */*
    Accept-Encoding: gzip, deflate, sdch
    Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
    Access-Control-Request-Headers: accept, x-ajax-referer
    Access-Control-Request-Method: GET
    DNT: 1
    Origin: http://www.foo.bar
    Referer: http://www.foo.bar/
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
    
    HTTP/1.1 403 Forbidden
    Access-Control-Allow-Headers: accept, x-ajax-referer
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Origin: http://www.foo.bar
    Cache-control: private, max-age=0
    Content-Length: 293
    Content-Type: application/json; charset=UTF-8
    Date: Tue, 05 May 2015 02:54:45 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Last-Modified: Tue, 05 May 2015 02:54:45 GMT
    Server: lighttpd
    Set-Cookie: xf_session=71c6f31ee58512aca7ec7739bd9326f0; path=/; domain=.foo.bar; httponly
    X-Frame-Options: SAMEORIGIN
    X-Powered-By: PHP/5.3.29
    
    I notice in calls from http://forum.foo.bar there is an X-Ajax-Referer in the headers. Could this be the issue? How do I go about adding it on http://foo.bar?
     
  2. Daniel Hood

    Daniel Hood Well-Known Member

    If you're already instantiating XenForo, why not just load the alerts and stuff through the models instead of making an ajax request?
     
  3. robart

    robart Member

    Hi Daniel - thanks for the reply.

    I guess I'm just trying to mimic the way Xenforo does it. I'm having great difficulty figuring out the 403, so maybe loading via the models is the route to take. Now to spend another day figuring out that way :)

    Cheers
     

Share This Page