locked
Dropped support for CORS RRS feed

  • Question

  • Windows Live API 5.0 stopped Access-Control-Allow-Origin support on 11 Jul 2013. This API cannot be reached via XMLHttpRequest. I don't want to use my server as a proxy and JSONP is not elegant enough. How can I get user's info after I received the access token?
    Friday, August 30, 2013 10:32 PM

Answers

  • Can you try using the setRequestHeader method to set an Origin header?  You should just be able to set it to the domain of your web page.

    Carl Hirschman

    Tuesday, September 3, 2013 7:01 PM

All replies

  • What do you mean when you say it cannot be reached?  Can you provide repro steps, and a Fiddler trace?


    Carl Hirschman

    Friday, August 30, 2013 10:49 PM
  • Internet Explorer blocks the request because it is a cross domain. I have been discovering why and discovered that CORS header was recently removed from Windows Live API.
    Saturday, August 31, 2013 5:49 AM
  • Could you please provide some more details?  What's your scenario?  What request are you making against the Live Connect API Service, what headers are you providing, what are you expecting to see that's missing?

    As I mentioned above, a Fiddler trace would be very useful here.


    Carl Hirschman

    Tuesday, September 3, 2013 5:55 PM
  • Here is the code:

    if (location.hash != '') {
        var token = location.hash.match(/access_token=([^&]+)/);
        if ('withCredentials' in new XMLHttpRequest()) {
            var xhr = new XMLHttpRequest();
            xhr.onload = function(e) {
                alert(xhr.response);
            };
            xhr.open('GET', "https://apis.live.net/v5.0/me?access_token=" + token);
            xhr.send(null);
        } else {
            alert('no withCredentials');
        }
    } else {
        location.replace('https://login.live.com/oauth20_authorize.srf?client_id=0000000000000000&response_type=token&scope=wl.signin&redirect_uri=' + document.location);
    }

    The OAuth 2 login is successful, but apis.live.net request is aborted by the IE (IE10 browser mode).

    Tuesday, September 3, 2013 6:17 PM
  • Can you try using the setRequestHeader method to set an Origin header?  You should just be able to set it to the domain of your web page.

    Carl Hirschman

    Tuesday, September 3, 2013 7:01 PM
  • Thank you, it works now. I have expected that the Origin header is set by browser.
    Wednesday, September 4, 2013 12:06 AM
  • Carl, It looks like I am having the exact same problem as Vaclav had trying to make a cross-domain request from browser JavaScript using the Live API 5.0.  But unfortunately I still am blocked.  My problem is that when I try to set the Origin header using...

    • xhr.setRequestHeader('Origin','https://www.mydomain.com')
    • calling this between xhr.open and xhr.send

    IE10 and IE11 browsers return response...

    • SEC7120: Origin https://www.mydomain.com not found in Access-Control-Allow-Origin header.
    • SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

    And when I try this on Chrome 39 browser, setting Origin header does not seem to work in the first place.  It throws error...

    • Refused to set unsafe header 'Origin'

    Is there anything else I can try?

    Thanks, Todd


    Wednesday, January 14, 2015 8:25 AM
  • Hi Vaclav,

    Can you elaborate a bit on how you got this to work?  Think I am having the exact same problem as you, but as you can see from my post to Carl above, the workaround is not actually working for me.

    Thanks,

    Todd

    Wednesday, January 14, 2015 8:27 AM
  • I have been looking for this code in my source control, but without success. I probably never used it in production because it did not work in Chrome. The workaround is send the token to your server and call Live API from the server.

    Wednesday, January 14, 2015 9:52 AM