No Access-Control-Allow-Origin


I keep getting
Access to XMLHttpRequest at ‘ht tp://localhost/?may=hi’ from origin ‘’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
I tried different things, but I just cannot it change it for it to accept it. (I changed the urls, because it wont let me have more than 2)

url: "h ttp://",
async: false,
type: "POST",
header: {'Access-Control-Allow-Origin': 'h ttp://'},
dataType: "application/x-www-form-urlencoded",
data: "say=hi",
success: function (result) {
error: function (xhr, ajaxOptions, thrownError) {



Add this to the top of your PHP code :
header('Access-Control-Allow-Origin: *');

and make sure you delete the space between http


There is a security system in place to make sure our website hosting can be only used for website hosting. Basically, it ensures that your website can only be opened in a website browser, and it restricts any kind of hotlinking, (cross domain) AJAX or API access.

You can learn more about that security system here:


Yes, I’ve read about it. I am (trying to) doing AJAX to a file on same domain. I have provided a small part of my program. It does not seem to work.

    url: "",
    async: false,
    type: "POST",
    header: {'Access-Control-Allow-Origin': ''},
    data: "cmd=get_notes",
    success: function (result) {
        notes = result;
    error: function (xhr, ajaxOptions, thrownError) {
    contentType: 'application/x-www-form-urlencoded',
    dataType: 'json',


   if ($_POST["cmd"] == "get_notes") {
    header('Access-Control-Allow-Origin: *; Content-Type: application/json; charset=UTF-8');
    $notes = file_get_contents('notes', LOCK_EX);
    echo $notes;


First of all, it might be useful to note two things about the Access-Control-Allow-Origin header:

  • It’s a server header. Having your client code send it to the server doesn’t do anything.
  • Our servers block all CORS, meaning the request will be rejected before it hits your PHP code.

The origin error message suggests the origin domain is localhost, not Does this code work when you upload it to your website instead of only opening it on your own computer?


Yes, right now with some correction in the urls, I get that CORS is blocked. Is there a way to get it working, or this functionality is simply not allowed?


You can learn more about this security system here:

This security system, as with all security systems on free hosting, is mandatory for all accounts and cannot be disabled.


First of all I’d like to thank you for the replies.
I understand completely, that some actions are not allowed and I am not trying to disable it in any way.
Since I am not so skilled in this particular area, I am not sure if this exact functionality is possible (under the current circumstances) just from reading the security policy. I don’t find anything about CORS. It says that Ajax to subdomains are allowed, which is what am trying to do. Is it just a problem of headers, or is it just not allowed


I’m struggling to come up with an explanation which isn’t too technical but still helps you understand what’s going on.

The technical details are in the article, but in short, it’s only possible to access anything on a domain name hosted by InfinityFree if you have opened the domain in your browser before. Opening the domain in your browser executes the security code which generates a token to give you access the site. If there is no token, you can’t access it.

This prevents hotlinking and cross domain requests to any domain name hosted on InfinityFree. It doesn’t matter where the origin website is hosted, what it’s domain is or how it’s configured.

It’s not a header problem. It’s not “not allowed”. It’s not a problem specifically with CORS or Ajax. It’s technically impossible to access anything if you’re not opening that specific domain name through a web browser.

closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.