I’ve added everything to my Apache htaccess:

Header set Access-Control-Allow-Headers: X-Requested-With
Header set Access-Control-Allow-Methods: OPTIONS
Header add Access-Control-Allow-Methods: GET
Header add Access-Control-Allow-Methods: POST
Header add Access-Control-Allow-Headers: Content-Type
Header add Access-Control-Allow-Headers: Depth
Header add Access-Control-Allow-Headers: User-Agent
Header add Access-Control-Allow-Headers: X-File-Size
Header add Access-Control-Allow-Headers: X-Requested-With
Header add Access-Control-Allow-Headers: If-Modified-Since
Header add Access-Control-Allow-Headers: X-File-Name
Header add Access-Control-Allow-Headers: Cache-Control
Header set Access-Control-Allow-Origin: http://mysite.com 
Header add Access-Control-Allow-Origin: https://mysite.com
Header set Access-Control-Allow-Credentials: true

I added this to my jquery $.ajax:

xhrFields: {
    withCredentials: true
}

Absolutely nothing works.

I’m doing $.ajax with

type: 'POST',
dataType: 'json'

I thought by setting all of those headers above, I could do json not jsonp (please no jsonp. anything but jsonp. i can’t get success to fire. please.god.no)

I’m at my limits. I’m getting the good ole

XMLHttpRequest cannot load https://mysite.com/aDirectory/aSecureFile.php. Origin http://mysite.com is not allowed by Access-Control-Allow-Origin.

Please help. I’m dying here. I promise I’ve looked everywhere, oh, have I looked everywhere.

Many thanks in advance!

Clarity

My headers are all coming across. I can see them in my response headers, but I’m still getting the above error. Is the server blocking? The browser? Is there something special I have to do to do https? Is there another setting on Apache I have to set to allow CORS? Is my jQuery $.ajax correct? Aside from data and success and error (and the URL always being https), that’s all I’m doing to the jQuery $.ajax.

Thanks again!

new

Cross Domain AJAX preflighting failing Origin check didn’t help (I don’t think). Added

Header set Access-Control-Allow-Headers: ORIGINS

(adjusting for sets and adds). All response headers coming down the pipe.

newer

Added these

Header add Access-Control-Allow-Headers: Origin
Header add Access-Control-Allow-Headers: Accept

still nothing

REQUEST HEADERS

Do these help?

Accept:application/json, text/javascript, /; q=0.01
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Origin:http://mysite.com
Referer:http://mysite.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

PHP

header("Access-Control-Allow-Origin: http://mysite.com");
header("Access-Control-Allow-Origin: https://mysite.com");

RESPONSE HEADERS CLARITY

The RESPONSE HEADERS are coming through on all normal requests not the cross domain https ajax.

Server

CentOS 5.8, Apache 2.2.2, PHP 5.3, cPanel, WHM

Fine, if PHP not executing

So, in my haste, I copied slashingweapon’s cors.php directly without php tags. I made a test page with $.ajax using the settings above.

It worked (as in there were no errors when the ajax fired) complete with response headers. As soon as I added the tags to the PHP, the error happened. I checked to see if it was a directory issue, putting it in both root and a subdirectory, fine as long as PHP is not executing.

Does this mean anything to anyone?

Is there a PHP setting that needs to be flipped?

Thanks to all for grinding this out with me!

We have a heartbeat

It looks like multiple arguments in the htacess craps my server out. I reduced all those options above to this (which is fine for me, but I pity da fool who needs more):

<IfModule mod_headers.c>
<FilesMatch "\.(php)$">
Header set Access-Control-Allow-Origin: http://mysite.com
Header add Access-Control-Allow-Methods: POST
</FilesMatch>
</IfModule>

All I put in the PHP was

echo "this works at least":

And that came in the response. Once I figure out what’s causing my PHP to fail, I’ll post it.

Again, thanks all!

Zend Guard the problem?

Sooooooooo, sorry guys. Forgot to add that my site’s running Zend Guard. Have a feeling that’s causing it.