apache2 server settings

 

(índice):1 Access to fetch at 'http://10.10.1.69/collins.json' from origin 'https://www.collinsdictionary.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

how to solve this issue?

 

You've hit the classic web security "wall." Because you are on collinsdictionary.com (HTTPS), the browser is protecting that site from making unauthorized requests to your local IP (HTTP).

Since you likely control the Apache server on 10.10.1.69, you can solve this by telling Apache to send a "hall pass" (CORS header) to the browser.

---

Option 1: The "Proper" Fix (Modify Apache)

You need to enable the headers module in Apache and configure it to allow requests from other origins.

1. Enable the headers module:

   Bash

    

   sudo a2enmod headers
   

2. Edit your Apache configuration:

   Open the default site config:

   Bash

    

   sudo nano /etc/apache2/sites-enabled/000-default.conf
   

3. Add the Header line:

   Inside the <VirtualHost *:80> block, add this line:

   Apache

    

   Header set Access-Control-Allow-Origin "*"
   

   (Note: Using "*" allows any site to read the file. For a lab machine, this is fine. In production, you'd replace * with the specific domain.)

4. Restart Apache:

   Bash

    

   sudo systemctl restart apache2
   

---

Option 2: The "Quick & Dirty" Fix (No Config)

If you don't want to mess with Apache settings, the easiest way to bypass CORS in the console is to navigate the browser to a neutral page.

1. In Chrome, open a completely blank tab.

2. In the address bar, type about:blank and hit Enter.

3. Now try running your fetch() code in that console.

Because about:blank has no "origin," Chrome often relaxes the CORS requirements for local IP requests. Even better, just navigate to http://10.10.1.69/ directly and run the code there.

---

Option 3: Use a Chrome Extension (For Testing Only)

If you do this often, you can install a Chrome extension like "Allow CORS: Access-Control-Allow-Origin." * How it works: It intercepts the browser's request and "fakes" the permission header.

• Warning: Turn this OFF when you aren't testing, as it effectively disables a major security feature of your browser.

Why is this happening?

The browser performs a Preflight Request. It asks the server: "Hey, is it okay if this random website reads your files?" If Apache doesn't respond with Access-Control-Allow-Origin, the browser assumes the answer is "No" and blocks the data to protect your privacy.

Which of these approaches sounds easier for your current project?

 

 

 

in Firefox console,

run this piece of code:

 

const response = await fetch('http://10.10.1.69/collins.en2es.json');

const data = await response.json();

console.log(data.length);

 

I get this: Blocked loading mixed active content “http://10.10.1.69/collins.en2es.json” www.collinsdictionary.com

 

Firefox is being even stricter than Chrome here. This isn't just a CORS issue; it is a Mixed Content block.

Because you are on https://www.collinsdictionary.com (Secure), Firefox refuses to let you fetch data from http://10.10.1.69 (Insecure). It views this as a security downgrade—basically, a secure site shouldn't be allowed to talk to an unencrypted source because a "man-in-the-middle" could swap your JSON file with malicious code.

The Quickest Fix (The "Same-Origin" Trick)

The simplest way to bypass both Mixed Content and CORS without changing any settings is to run the code from a page that is already on your server.

1. In your Firefox address bar, go to: http://10.10.1.69/

2. Open the Console (F12).

3. Run your code again:

   JavaScript

    

   const response = await fetch('http://10.10.1.69/collins.en2es.json');
   const data = await response.json();
   console.log(data.length);
   

Because you are now on an http page, Firefox won't trigger the "Mixed Content" alarm, and because you are fetching from the same IP, CORS won't block you.

---

The "Force it to work on Collins" Fix

If you absolutely must run this while looking at the Collins Dictionary website, you have to tell Firefox to lower its guard for that specific tab:

1. Look at the Address Bar in Firefox.

2. On the far left (next to the URL), you should see a Shield Icon or a Lock Icon with a warning.

3. Click it and select "Disable protection for now" (it might say "Enhanced Tracking Protection is ON" or show a "Permissions" section).

4. Alternatively, you can go to about:config in a new tab, search for security.mixed_content.block_active_content, and set it to false (Not recommended for daily browsing, turn it back on afterward!).

Why did Chrome and Firefox give different errors?

• Chrome focused on the CORS violation (Origin A vs Origin B).

• Firefox stopped you even earlier because of the Mixed Content violation (HTTPS vs HTTP). Active content (like a fetch call) is blocked by default in almost all modern browsers when initiated from a secure site to an insecure one.

Is the goal to script some data processing against the Collins site, or are you just trying to verify your JSON data?

 

 

 

tell me how to execute this js http://10.10.1.69/my.js on my firefox console.

 

Since you are dealing with the same Mixed Content and CORS restrictions as before, you can't simply "fetch" and run the script while you are on a secure site like Collins Dictionary.

To execute a remote script directly in the Firefox console, you have three main ways to do it, depending on how much "security friction" you want to deal with.

---

Option 1: The "Direct Injection" Method (Recommended)

This is the cleanest way. It creates a <script> tag, points it to your Kali server, and attaches it to the webpage.

Note: For this to work, you must be on an http page (like http://10.10.1.69) or have disabled "Enhanced Tracking Protection" in Firefox for the site you are on.

JavaScript

 

var script = document.createElement('script');
script.src = 'http://10.10.1.69/my.js';
document.head.appendChild(script);

Option 2: The "Fetch and Eval" Method

If you want to load the code and execute it immediately as a string, you can use eval().

JavaScript

 

fetch('http://10.10.1.69/my.js').then(response => response.text()).then(code => {eval(code);});

• Pros: Gives you control over when the code runs.

• Cons: Will be blocked by CORS unless you added the Header set Access-Control-Allow-Origin "*" to your Apache config earlier.

---

Option 3: The "No-Code" Way (The Easiest)

If you are just trying to test the logic in my.js:

1. Open your browser and go to http://10.10.1.69/my.js.

2. The browser will display the raw text of your JavaScript file.

3. Ctrl+A (Select All) and Ctrl+C (Copy).

4. Go to the tab where you want to run it, open the Console (F12).

5. Ctrl+V (Paste) and hit Enter.

This bypasses every single security restriction (CORS, Mixed Content, etc.) because you are manually providing the code rather than asking the browser to fetch it.

---

Troubleshooting Firefox Security

If you try Option 1 or 2 and see a "Blocked" message in the console, Firefox is protecting you from Mixed Content.

1. Look for the Shield Icon to the left of the URL bar.

2. Turn OFF "Enhanced Tracking Protection" for that site.

3. If it's a "Mixed Active Content" error, click the Lock Icon -> Connection Secure -> Disable Protection for now.

Quick Tip: If your my.js is meant to work with that collins.json file, make sure the JSON fetch inside the script uses the full URL (http://10.10.1.69/collins.json) so it doesn't try to look for the file on the Collins Dictionary servers!