XMLHttpRequest cannot load. Origin is not allowed by Access-Control-Allow-Origin

This is happening because of the CORS (Cross Origin Resource Sharing) error. A request for a resource (like an image or a font) outside of the origin is known as a Cross-Origin Request. Cross Origin Resource Sharing (CORS) manages cross-origin requests. For example, if you are doing something like writing HTML and Javascript in a code editor on your personal computer, and testing the output in your browser, you might probably get error messages about Cross Origin Requests . You cannot issue requests through the XMLHttpRequest to other domains or subdomains.

JSONP (JSON with Padding)

xmlhttprequest cannot load is not allowed by access-control-allow-origin
JSONP ( JSON with Padding ) is a method commonly used to bypass the cross-domain policies in web browsers. You're on domain example.com , and you want to make a request to domain example.net . To do so, you need to cross domain boundaries. JSONP is really a simple trick to overcome the XMLHttpRequest same domain policy. So, instead of using XMLHttpRequest we have to use < script > HTML tags, the ones you usually use to load JavaScript files , in order for JavaScript to get data from another domain. JSONP requests are not dispatched using the XMLHTTPRequest and the associated browser methods. Instead a < script > tag is created, whose source is set to the target URL . This script tag is then added to the DOM (normally inside the < head > element).

JSONP Request:

var tag = document.createElement("script"); tag.src = 'somewhere_else.php?callback=foo'; document.getElementsByTagName("head")[0].appendChild(tag);
Here you can see the JSONP response object is passed as an argument to a callback function.
foo( { "bar": "baz" } );
This is why you see JSONP requests containing the callback parameter, so that the server knows the name of the function to wrap the response. This function must exist in the global scope at the time the < script > tag is evaluated by the browser (once the request has completed). The following assumes a response object { "bar" : "baz" }.
function foo(response) { document.getElementById("output").innerHTML = response.bar; }; var tag = document.createElement("script"); tag.src = 'somewhere_else.php?callback=foo'; document.getElementsByTagName("head")[0].appendChild(tag);
That's all there is to know about JSONP : it's a callback and script tags.
xmlhttprequest cannot load due to access control
Since JSONP ( JSON with Padding ) works by appending a < script > element to load the data in the form of a JavaScript program which calls a function already in the page, attempting to use the JSONP technique on a URL which returns JSON will fail — typically with a CORS error — because JSON is not JavaScript.

Local Development (Chrome)

In simple words, this error occurs when we try to access a domain/resource from another domain. If this is for local development and you are using Chrome , you need to run Chrome with a couple of arguments to relax security like this:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --allow-file-access-from-files --disable-web-security


If you need to enable CORS on the server in case of localhost, you need to have the following on request header.
Access-Control-Allow-Origin: http://localhost:9999

xmlhttprequest cannot load access control checks

Using Proxy

The other easy way out, would be to create a proxy on your local server, which gets the remote request and then just forwards it back to your javascript.

Browser extensions

Cross Origin Resource Sharing ( CORS ) is blocked in modern browsers by default (in JavaScript APIs). It is possible for a browser extension to inject the CORS headers in the response before the Same Origin Policy (SOP) is applied. These can be useful for development, but are not practical for a production site.

Cross-Origin Resource Sharing (CORS)

CORS is a mechanism by which data or any other resource of a site could be shared intentionally to a third party website when there is a need. It uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. It extends and adds flexibility to the same-origin policy (SOP). However, it also provides potential for cross-domain based attacks, if a website's CORS policy is poorly configured and implemented.

Same-Origin Policy (SOP)

The SOP ( same-origin policy ) is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. A browser can load and display resources from multiple web-sites at once. You might have multiple tabs open at the same time, or a web-site could embed multiple iframes from different sites. If there is no restriction on interactions between these resources, and a script is compromised by an attacker, the script could expose everything in a user's browser. The SOP prevents this from happening by blocking read access to resources loaded from a different origin . Same-Origin Policy ( SOP ) is supported by effectively all modern browsers. It is a rule enforced by web browsers, which controls access to data between websites and web applications . An origin is defined by the scheme, host, and port of a URL. It is a browser security feature that restricts how documents and scripts on one origin can interact with resources on another origin. Without this policy , any web page would be able to access the Document Object Model (DOM) of other pages. This would let it access potentially sensitive data from another web page as well as perform actions on other web pages without user consent.