Question
Adqura
IN
Last activity: 4 Oct 2018 13:54 EDT
CORS- Pre-Flight Requests Failing
We are trying to access REST service exposed from pega application from another web application.
We configured HTTP header as below for CORS.
However, requests are failing with below errors:
XMLHttpRequest cannot load http://myPegaApp.com/Service. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myAnotherApp.com' is therefore not allowed access.
Do we have to configure OPTIONS method to pass preflight request? Are there any other configurations to be done to pass preflight requests?
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Accepted Solution
Hello,
During the course of investigation, it was found that this is a product enhancement. An enhancement request has been submitted though an internal tool for consideration by Pega Product Management.
I have tagged the enhancement (FDBK) number to the above post by adding it under the Related Work section. Please refer the same to your Account Executive to know its status.
Regards,
Lochan | Online Community Moderator | Pegasystems Inc.
PEG
PL
As per the CORS specifications –
A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which served itself. For example, an HTML page served from http://domain-a.com makes an <img> src request for http://domain-b.com/image.jpg. Many pages on the web today load resources such as CSS stylesheets, images and scripts from separatedomains.
As per the CORS specifications –
A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which served itself. For example, an HTML page served from http://domain-a.com makes an <img> src request for http://domain-b.com/image.jpg. Many pages on the web today load resources such as CSS stylesheets, images and scripts from separatedomains.
CORS gives web servers cross-domain access controls, which enable secure cross-domain data transfers.
Modern browsers use CORS in an API container,such as XMLHttpRequest - to mitigate risks of cross-origin HTTP requests.
Note that the CORS communication and access must happen using http:// across the domains and since user tried invoking REST service using CORS using file:// (local file) and got this error.
Therefore, Pega recommends user to try this invocation from a page, which is hosted on a domain server instead of a local file path.
Kindly follow below link, that may help :
Adqura
IN
We have followed the same instruction as mentioned in the above post which is part of one of the pdn link
Issue is not resolved. Can you please help us.
PEG
PL
As the issue didn't get fixed by above approach, could you share your complete design so that we could see why the issue is coming?
Do give the screenshots and steps to reproduce?
Pegasystems Inc.
US
Hi Raju,
You don't need to specifically configure OPTIONS method. The browser sends a preflight request automatically to target server from the client before making the actual request as per CORS. Server sends back preflight response with the supported methods, allowed-origins, headers like below.
Access-Control-Allow-Origin: http://myanotherapp.com/
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-Custom-Header
Content-Type: text/html; charset=utf-8
Somehow Access-Control-Allow-Origin is missing from your target http://mypegaapp.com/Service server's preflight response.
Assuming that you didn't alter any of the CORS related default DSS values, Can you try setting Access-Control-Allow-Origin header value at your target http://mypegaapp.com/Service server level ? (Refer to your server-specific config - enable cross-origin resource sharing)
Hi Raju,
You don't need to specifically configure OPTIONS method. The browser sends a preflight request automatically to target server from the client before making the actual request as per CORS. Server sends back preflight response with the supported methods, allowed-origins, headers like below.
Access-Control-Allow-Origin: http://myanotherapp.com/
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-Custom-Header
Content-Type: text/html; charset=utf-8
Somehow Access-Control-Allow-Origin is missing from your target http://mypegaapp.com/Service server's preflight response.
Assuming that you didn't alter any of the CORS related default DSS values, Can you try setting Access-Control-Allow-Origin header value at your target http://mypegaapp.com/Service server level ? (Refer to your server-specific config - enable cross-origin resource sharing)
Set this header value to http://myanotherapp.com/ (your client origin) or * to allow all origins.
Let us know your observations.
PEG
PL
You can quickly check the below help. Just in case you missed anything.
https://community.pega.com/sites/default/files/help_v718/procomhelpmain.htm
Adqura
IN
Thanks for you replies. We have tried everything issue is not yet resolved.
We will try to add the headers at tomcat level and still the issue persists.
@Harish Gunneri : (Refer to your server-specific config - enable cross-origin resource sharing)
We are developed own proxy code as a work around which is already working for us its mentioned in the above links.
Problem with that solution is we are adding a additional hop which we wanted avoid.
Looks like information in the below links is applicable for Pega API only.
https://community.pega.com/sites/default/files/help_v718/procomhelpmain.htm
Pegasystems Inc.
US
Hi Raju Badkal,
Upon reviewing this post I found that you are still working with GCS on your SR. Please update this thread when that is resolved with the resolution.
Thanks!
Accepted Solution
Hello,
During the course of investigation, it was found that this is a product enhancement. An enhancement request has been submitted though an internal tool for consideration by Pega Product Management.
I have tagged the enhancement (FDBK) number to the above post by adding it under the Related Work section. Please refer the same to your Account Executive to know its status.
Regards,
Lochan | Online Community Moderator | Pegasystems Inc.
Adqura
IN
Hi Lochan,
Can you please let us know the status of Enhancement request (FDBK-15480) If this issue has been addressed/fixed in 7.2/7.3 or yet to be addressed.
Thanks
Raju Badkal
Pegasystems Inc.
US
Hi Raju,
The FDBK-15480 status is coming soon, hence it is not addressed in 7.2/7.3.
Regards
Mahesh
Updated: 2 Mar 2018 3:05 EST
Cognizant
IN