“no 'Access-Control-Allow-Origin' header is present” error with Cherrypy

Question

I have the following javascript in a HTML page

<script>
    function getContent(page)
    {
        var xmlhttp;
        if (window.XMLHttpRequest)
            {// code for IE7+, Firefox, Chrome, Opera, Safari
                xmlhttp=new XMLHttpRequest();
            }
        else
            {// code for IE6, IE5
                xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
            }
        xmlhttp.onreadystatechange=function()
        {
            if (xmlhttp.readyState==4 && xmlhttp.status==200)
             {
                var json = xmlhttp.responseText;
                obj = JSON.parse(json);
                document.getElementById("content").innerHTML=obj.content;
                document.getElementById("title").innerHTML=obj.title;
             }
        }
    xmlhttp.open("GET","http://differentserver.com:8080?page="+page,true);
    xmlhttp.send();
}
</script>

and a python script using cherrypy that serves JSON, the code of which is:

import cherrypy
import json

class ContentGeneratorService(object):
exposed = True
@cherrypy.tools.accept(media='text/plain')
def GET(self, page='home'):
    file_title = open(page + '.title', 'r')
    file_content = open(page + '.content', 'r')
    return json.dumps({"title": file_title.read().replace('\n', ''), "content":     file_content.read().replace('\n', '') })


def CORS():
cherrypy.response.headers["Access-Control-Allow-Origin"] = "*"

if __name__ == '__main__':
conf = {
    '/': {
        'request.dispatch': cherrypy.dispatch.MethodDispatcher(),
        'tools.sessions.on': True,
        'tools.response_headers.on': True,
        'tools.response_headers.headers': [('Content-Type', 'text/plain')],
        }
    }

cherrypy.server.socket_host = '0.0.0.0'
cherrypy.tools.CORS = cherrypy.Tool('before_handler', CORS)
cherrypy.config.update({'server.socket_port': 8080})
cherrypy.quickstart(ContentGeneratorService(), '/', conf)

However, I get a “no 'Access-Control-Allow-Origin' header is present” error. Is there a way to enable CORS with cherrypy?

Thanks.

Answer 1

It seems to work now. I added

'tools.CORS.on': True

to conf.

Answer 2

cherrypy.response.headers["Access-Control-Allow-Origin"] = "*"

is very risky because now any site can make an AJAX call to your server and get the content served by the python script. Instead using

cherrypy.response.headers["Access-Control-Allow-Origin"] = "your site domain"

is a much secure option.