[SalesForce] Why is CORS (localhost) whitelist not working for authentication

So there are now settings to add domains to the CORS whitelist so they can access the REST API via javascript. I tried to get this to work using my localhost with an a local ssl so its https://coach.dev:8443

But im still getting this error:

XMLHttpRequest cannot load https://test.salesforce.com/services/oauth2/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://coach.dev:8443' is therefore not allowed access.

Any ideas what I might be missing?

UPDATE:

Also important to note if i request the token via the proxy, and then remove the proxy from all the other requests it does seem to respect the CORS settings and let me do queries without a proxy.

Is is just that the token request wont use the CORS?

Best Answer

It is very possible that localhost is the issue and you can only whitelist domains that are externally hosted. But I have no source to back up my assumption. I seem to recall trying this long before I had even heard of Salesforce and it still being a problem.

Something like this question. If you're not using Chrome, then it seems more likely to be a Salesforce issue.

Related Solutions

[SalesForce] File Attachments over AJAX call (XMLHttpRequest error)

You will have to channel through the VF proxy to resolve this error

https://gist.github.com/henriquez/3146782

https://gist.github.com/richardvanhook/4677449

The above gist should help and I have reproduced the content below so that helps even when link is broken .Replace with necessary URL and should help

<apex:page controller="CustomerCommunityController" id="customercommunitycontroller" sidebar="false" showHeader="false" standardStylesheets="false" >
 <head>
    <title>Acme Customer Support</title>
      <meta charset="utf-8" />     
     <apex:includeScript value="{!$Resource.jquery}"/>          
 </head>


 <script type="text/javascript">

 /* Same Origin Policy limits javascript running in VisualForce pages from making requests to 
    APIs, even salesforce apis, because they are hosted on salesforce.com while visualforce 
 pages are served from force.com.  To work around this, configure an ajax proxy in your organization.
 Ajax proxies are configured in setup under Security Controls | Remote Site Settings. Put in a URL    
 into the proxy like https://na1.salesforce.com (or whatever the domain of the api is)

 Once configured, just plain javascript can use the proxy url, which is available at /services/proxy
 The Salesforce Ajax Toolkit is not required, and generally you don't want to use that anyway, since
 its not supported on Safari or Chrome.

 Here's a basic example of how to make a request to the Chatter REST API from a Visualforce page.    
    This also works for portal(community) users and portal pages.
 */

  (function() {
    var $;

      $ = jQuery;

      $(function() {
       var credential = ' OAuth ' + '{!GETSESSIONID()}'; // native VF function
       var apiUrl = "https://na1.salesforce.com/services/data/v26.0/chatter/users/me";
    $.ajax({
        type: "GET",
        // for community pages, use whole community url including path, e.g. 
        // https://logan.blitz01.t.force.com/customers/services/proxy.
        url: "https://c.na1.visual.force.com/services/proxy", 
        contentType: 'application/json',
        cache: false,
        success : function(response) {
                      alert("result" + response);
               },
        error : function(response) {
                      alert("Failed" + response);
               },                 
        dataType: "json",
        beforeSend: function(xhr) {
            xhr.setRequestHeader('SalesforceProxy-Endpoint', apiUrl);
            xhr.setRequestHeader("Authorization", credential);
            xhr.setRequestHeader('X-User-Agent', 'MyClient');
        }


    });
  });

}).call(this);
</script>

 This is your new Page

</apex:page>

[SalesForce] [API][CORS] Not able to use API despite domain being whitelisted

It seems you're trying to authenticate using the CORS request which isn't supported - see this comment for more details. You should be able to use it for any other API requests though - that will also validate that you whitelisted the correct URLs.

Quoting the relevant text below

Since our implementation of CORS relies on you whitelisting an origin, we can't use CORS for authentication, since, until you're authenticated, we don't know if your origin is whitelisted for your org, since we don't know which org you're in.

Best Answer

Related Solutions

[SalesForce] File Attachments over AJAX call (XMLHttpRequest error)

[SalesForce] [API][CORS] Not able to use API despite domain being whitelisted

Related Topic