Paul Ernond Paul Ernond - 5 months ago 72
Javascript Question

CORS remain on SecurityError: The operation is insecure

I have an http server developped using Express in nodejs.
The server is running locally on port 3000.

There is an html page served (index.html) which call ajax GET contents (as html content-type).
Those ajax content are also served with the same server on the same port, in the same http protocole.

In the node server application, I have added Cors Same Origin headers, but, the index.html is still having error in console: "Security Error: The operation is insecure".

In the browser console, I successfully see the headers from the node Express app about "Access-Control-Allow-Origin", etc ...

Additionally, the same application is also serving another page, and the index.html can successfully get data w/o any Security Error.

Do you have any other advice?

function getData(url, type, CType, id) {
//var xhr = new XMLHttpRequest();
//, url, true);
//xhr.withCredentials = true;
//xhr.onload = function () {
//if(CType == 'text/html') { $(id).append(xhr.responseText); }

url: url,
type: type,
success: function(data){
error: function(data) {
console.log('ERROR '+url);

getData(location.protocol+'//'+location.hostname+(location.port ? ':'+location.port: '')+'/modules/mymodule', 'text/html', 'GET', '#content');


initially tested with Firefox 44.0.2 and Chromium 48.0.2564.82 gives: "SyntaxError: Failed to execute 'open' on 'XMLHttpRequest': 'TEXT/HTML' is not a valid HTTP method."

You have your middle two arguments backwards.

getData(location.protocol+'//'+location.hostname+(location.port ? ':'+location.port: '')+'/modules/mymodule', 'text/html', 'GET', '#content');

The second argument should be "GET" and the third argument "text/html".