Posts tagged with blog

Fixing "XMLHttpRequest Origin is not allowed by Access-Control-Allow-Origin" in PHP and CodeIgniter

Mar 16, 2013 in blog, csrf, javascript, php, speak-like-a-brazilian | blog

Since it has been released, Speak Like A Brazilian had a bug when users voted, but had accessed the site via speaklikeabrazilian.com, and not www.speaklikeabrazilian.com (the latter is the base_url in application/config/config.php).

Looking at the developer console in Chrome, you could see that XMLHttpRequest was having trouble by, what looked in principle, like a security bug. Maybe a cross-domain issue.

After searching the Internet, we’ve found what was causing this issue. Unfortunately I lost the link, but in a StackOverFlow discussion, one user said it had something to do with the CSRF check.

A quick test, where we disabled the CSRF token verification, showed that he was right. But we couldn’t simply disable CSRF everywhere. So if you are facing similar issue, here’s the trick: Create a hook that disables CSRF verification only for a certain URL.

It’s not a very nice approach, but as in Speak Like A Brazilian the votes are linked by IP, there’s no need to keep the CSRF token. Here’s the solution that worked for us.

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

/**
* Security Class
*
* @package hooks
* @description Disables CSRF token for certain pages.
*/

class DisableCSRF
{

function disable_if_callback()
{
if(stripos($_SERVER["REQUEST_URI"],'/rating/expression') !== FALSE)
{
$CFG =& load_class('Config', 'core');
$CFG->set_item('csrf_protection', FALSE);
}
}

}

And as a side note, we are still in honey moon with CodeIgniter. We have just finished another project with it, and so far we haven’t been let down by this amazing framework. Hope it helps you, in case you have similar error.

Happy St. Patricks Day! And happy coding!