cancel
Showing results for 
Search instead for 
Did you mean: 

The Same Origin Policy disallows reading the remote resource at https://api.authorize.net/xml/v1/req

See my previous post here which details my suspicion of an issue with the accept.js script not fully loading.
 
Today one of our phone reps was placing an order for a customer and ran into this issue again. However this time I was able to get them to show the console log, and lo this message appears...
 
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.authorize.net/xml/v1/request.api. (Reason: CORS request did not succeed)
 
Can someone explain how this is happening? It's starting to be a real concern for us, not to mention a total pain.
 
 
hojo
Member
9 REPLIES 9

Would love an answer from Authorize.net on this issue. In my previous post one of the moderators made mention of the developers pushing a fix for something. Was this the fix she was talking about?


@ElaineM If I am correctly assuming that you are seeing what you describe for this known cause, I can advise that our developers are currently working on an enhancement for an upcoming release to address this concern. Although we do not have an ETA for release, we are hopefull it will be soon. 


hojo
Member

Seems like the developers and/or mods are not interested in this issue, or my other issue.

 

Your support channel is asking us to come here and post, and many of the posts are being ignored. Not a great way to treat your developers at all.

hojo
Member

@hojo 

 

I will try to help you when I am killing time.  Post your js for the form processing. That's what we need to help you.  

Thanks @Renaissance , I appreciate you reaching out. Here's the code we're running, pretty much a direct copy/paste from their documentation. The exception being we are running this code inside jquery validate.

 

 

$("form[name=checkoutStep3]").validate({
   rules: {...},
   messages: {...},
   errorPlacement: function(error, element) {...},
   submitHandler: function(form) {

       // disable button and change text to please wait
       $("button[type=submit]").prop("disabled",true).text("Please Wait...");   

       // build the data needed to send to authnet
       var authData = {};
           authData.clientKey = document.getElementById("CLIENT_KEY").value;
           authData.apiLoginID = document.getElementById("API_LOGIN_ID").value;
       var cardData = {};
           cardData.cardNumber = document.getElementById("USER_CARD_NUMBER").value.replace(/\s+/g, '');
           cardData.month = document.getElementById("USER_CARD_EXPIRATION_MONTH").value;
           cardData.year = document.getElementById("USER_CARD_EXPIRATION_YEAR").value;
           cardData.cardCode = document.getElementById("USER_CARD_CVV_CODE").value;
       var secureData = {};
           secureData.authData = authData;
           secureData.cardData = cardData;

       // send data to authnet
       Accept.dispatchData(secureData, 'handleAuthnetResponse');

       // function to handle the response
       window.handleAuthnetResponse = function(response) {

           // if there is an error in the response
           if (response.messages.resultCode === "Error") {

               var i = 0;

               while (i < response.messages.message.length) {

                   //console.log(response.messages.message[i].code + ": " + response.messages.message[i].text);

                   // alert out the error to the user
                   alert("Error: " + response.messages.message[i].text);

                   i = i + 1;

               }

               // Put the button back to the starting state
               $("button[type=submit]").prop("disabled",false).text("Continue To Review");

           }
else{

paymentFormUpdate(response.opaqueData);

}
} // function to update the form with the data descriptor and value coming from authnet function paymentFormUpdate(opaqueData) { // get the data descriptor and value document.getElementById("DATA_DESCRIPTOR").value = opaqueData.dataDescriptor; document.getElementById("DATA_VALUE").value = opaqueData.dataValue; // remove values from form document.getElementById("USER_CARD_NUMBER").value = ""; document.getElementById("USER_CARD_EXPIRATION_MONTH").value = ""; document.getElementById("USER_CARD_EXPIRATION_YEAR").value = ""; document.getElementById("USER_CARD_CVV_CODE").value = ""; form.submit(); } } });


Because of some old posts I read dealing with CORS issues (see here), you'll see this (callback function is in quotes)...

 

       Accept.dispatchData(secureData, 'handleAuthnetResponse');

 

and this (window.handleAuthnetResponse)...

 

window.handleAuthnetResponse = function(response) {

 

instead of this...

 

       Accept.dispatchData(secureData, handleAuthnetResponse);

 

and this...

 

function handleAuthnetResponse(response) {

 

I didn't see any improvement in terms of the frequency in which we see these CORS issues, but it was worth a shot. At the moment we're seeing maybe a couple per day out of ~300 transactions using this form. 

 

@hojo

I will have to look at this. Getting breakfast now. I can’t help but wonder if your modification of the script has something to do with it. I have no idea what, until I look at this a little more. If it was something with anet I would imagine there would be dozens of posts like this every week.

It looks like the primary use of the jquery is to disable the submit button. I would expect a.net has it built in to prevent duplicate transactions. Maybe in the short term you could try using an unmodified script. Also- these 300 per day transactions are happening on the same network?

Hey @Renaissance, again, I sincerely appreciate your help.

 

jQuery is used to validate the form. We have a question inside this form which asks for their profession. So we validate to make sure that question is answered. I could remove jQuery validate and just do it inline, if you feel that is somehow causing an issue.

 

I have ran this script both with and without disabling the button, it didn't seem to change anything. We have a lot of double clickers, so it's something we've had to do site-wide. My fear is that once dispatchData is ran (on one click) another click would cause it to run again which would cause problems. But I'm not opposed to removing that also.

 

Yes, all of those transactions are happening on the same network. However we do use AWS load balancing so they are not all coming from the same server.

 

The thing that is very peculiar to me is the message "Cross-Origin Request Blocked" and it's almost like dispatchData never comes back with the token. We have some very advanced logging in place now (because of all of this mess) and we can tell when we do and do not get a response. It's like authnet's server is rejecting the request from it's own function. Here is a screencap of a console.log message where this happened yesterday... https://i.imgur.com/0a76Ogf.png

@hojo

Yeah CORS is related to the domains and the browser. I am wondering if it may be browser specific. It is odd that you are getting only 1% or 2% of your transactions doing this. I am still at a loss for what is happening exactly, but I think that a good step might be to do some systematic testing. Find out the browser version each person is using when this happens and try to recreate the event. I’ve still yet to look at your code in depth. Been busy.

I am having a very similar problem to this. Has there been any traction on this?

@smchris

I think what you need to do is add some headers