• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Trying to display Alerts and Convo pop-up off-forum - CORS

#1
Hi All,

I have my forum setup on forum.foo.bar. On foo.bar, I'd like to display the user's alerts, convos, etc.

I instantiate XF on foo.bar, and get the user's proper xfToken, and try to do a cross-domain ajax query

http://forum.foo.bar/account/alerts...estUri=/&_xfNoRedirect=1&_xfResponseType=json

However is gives me a 403. When I directly visit the same ajax URL on it's own, it displays the proper JSON. I'm calling xenforo.js on http://foo.bar to do it, with the proper data-contentSrc, data-contentDest, etc.

If anyone can help troubleshoot, my headers are:

Code:
OPTIONS /account/alerts-popup?_xfToken=XXX&&_xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json HTTP/1.1
Host: forum.foo.bar
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Access-Control-Request-Headers: accept, x-ajax-referer
Access-Control-Request-Method: GET
DNT: 1
Origin: http://www.foo.bar
Referer: http://www.foo.bar/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36

HTTP/1.1 403 Forbidden
Access-Control-Allow-Headers: accept, x-ajax-referer
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Origin: http://www.foo.bar
Cache-control: private, max-age=0
Content-Length: 293
Content-Type: application/json; charset=UTF-8
Date: Tue, 05 May 2015 02:54:45 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Tue, 05 May 2015 02:54:45 GMT
Server: lighttpd
Set-Cookie: xf_session=71c6f31ee58512aca7ec7739bd9326f0; path=/; domain=.foo.bar; httponly
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.3.29
I notice in calls from http://forum.foo.bar there is an X-Ajax-Referer in the headers. Could this be the issue? How do I go about adding it on http://foo.bar?
 
#3
Hi Daniel - thanks for the reply.

I guess I'm just trying to mimic the way Xenforo does it. I'm having great difficulty figuring out the 403, so maybe loading via the models is the route to take. Now to spend another day figuring out that way :)

Cheers