https://community.developer.cybersource.com/t5/Integration-and-Testing/Access-Control-Allow-Origin/m-p/48765#M24501 <P>Off topic question.</P><P>How are you hiding your transactionKey, LoginID? or stop it from reaching the broswer?</P> Fri, 14 Nov 2014 15:59:47 GMT RaynorC1emen7 2014-11-14T15:59:47Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Access-Control-Allow-Origin/m-p/48763#M24500 <P>We have developed an application utilizing the Authorize.NET API implemented in JavaScript.&nbsp; We have just finished testing (using the dev URL, &nbsp;https://api<STRONG>test</STRONG>.authorize.net/xml/v1/request.api) and all went well.&nbsp; However once we started testing using the production API, we started getting cross-domain scripting errors.&nbsp; We noticed that the headers on the dev API URL contain “Access-Control-Allow-Origin:*”.&nbsp; However, the production API URL (<A target="_blank" href="https://api.authorize.net/xml/v1/request.api)">https://api.authorize.net/xml/v1/request.api)</A> is missing this header which makes cross domain communication via JavaScript impossible.&nbsp; Has anyone else ran into this?&nbsp;</P><P>&nbsp;</P><P>These hearders are bleow. &nbsp;Notice the the missing headers in the second example.</P><P>&nbsp;</P><P>Thank you in advance for any advice.</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN style="font-family: 'courier new', courier;"><SPAN style="text-decoration: underline;"><STRONG>Response Headers for <A target="_blank" href="https://apitest.authorize.net/xml/v1/request.api">https://apitest.authorize.net/xml/v1/request.api</A></STRONG></SPAN></SPAN></P><P><SPAN style="font-family: 'courier new', courier;">HTTP/1.1 200 OK</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Cache-Control: private</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Content-Type: application/xml; charset=utf-8</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Server: Microsoft-IIS/7.5</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">X-AspNet-Version: 2.0.50727</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">X-Powered-By: ASP.NET</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"><STRONG>Access-Control-Allow-Origin: *</STRONG></SPAN></P><P><SPAN style="font-family: 'courier new', courier;"><STRONG>Access-Control-Allow-Methods: GET,POST,OPTIONS</STRONG></SPAN></P><P><SPAN style="font-family: 'courier new', courier;"><STRONG>Access-Control-Allow-Headers: x-requested-with,cache-control,content-type,origin,method</STRONG></SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Date: Fri, 14 Nov 2014 14:52:22 GMT</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Content-Length: 365</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Age: 1</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Via: HTTPS/1.1 localhost.localdomain</SPAN></P><P>&nbsp;</P><P><SPAN style="font-family: 'courier new', courier;"><SPAN style="text-decoration: underline;"><STRONG>Response Headers for <A target="_blank" href="https://api.authorize.net/xml/v1/request.api">https://api.authorize.net/xml/v1/request.api</A></STRONG></SPAN></SPAN></P><P><SPAN style="font-family: 'courier new', courier;">HTTP/1.1 200 OK</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Cache-Control: private</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Content-Type: application/xml; charset=utf-8</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Server: Microsoft-IIS/7.5</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">X-AspNet-Version: 2.0.50727</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">X-Powered-By: ASP.NET</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Date: Fri, 14 Nov 2014 14:53:13 GMT</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Content-Length: 365</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Age: 0</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">Via: HTTPS/1.1 localhost.localdomain</SPAN></P> Fri, 14 Nov 2014 15:41:00 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Access-Control-Allow-Origin/m-p/48763#M24500 00PureSleep00 2014-11-14T15:41:00Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Access-Control-Allow-Origin/m-p/48765#M24501 <P>Off topic question.</P><P>How are you hiding your transactionKey, LoginID? or stop it from reaching the broswer?</P> Fri, 14 Nov 2014 15:59:47 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Access-Control-Allow-Origin/m-p/48765#M24501 RaynorC1emen7 2014-11-14T15:59:47Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Access-Control-Allow-Origin/m-p/48769#M24503 <P>We were under the impression that the keys were specific to referrrals from the host, similar to a Google API Key. &nbsp;We are working to make this a server side implementation now. &nbsp;Thanks for the feedback.</P> Fri, 14 Nov 2014 16:52:18 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Access-Control-Allow-Origin/m-p/48769#M24503 00PureSleep00 2014-11-14T16:52:18Z