Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Abhishek Gubba (Abhishek0256)
Centene Corporation

Centene Corporation
US
Abhishek0256 Member since 2020 7 posts
Centene Corporation
Posted: Sep 16, 2021
Last activity: Sep 17, 2021
Posted: 16 Sep 2021 18:11 EDT
Last activity: 17 Sep 2021 7:00 EDT
Closed

CORS request is blocked when a Pega Service HTTP is invoked from a third party application via browser

Issue:

We have a Service HTTP created in a Pega v7.2 application, this service is being invoked from an external application (AWS Connect Soft Phone Portal) via a browser like chrome. In the network trace it is seen that the request did not reach the server due to a CORS error.

Can someone please suggest on how to bypass the CORS configuration for Service HTTP rules in Pega v7.2?

Can we implement a CORS policy or restriction within Pega or at application server level?

Service HTTP format:

https://myapp.com/prweb/PRHTTPService/ServicePackage/Class/Method?Param1=123&Param2=123&Param3  

Network Trace:

A cross-origin resource sharing (CORS) request was blocked because of invalid or missing response headers of the request or the associated preflight request . To fix this issue, ensure the response to the CORS request and/or the associated preflight request are not missing headers and use valid header values. Note that if an opaque response is sufficient, the request's mode can be set to no-cors to fetch the resource with CORS disabled; that way CORS headers are not required but the response content is inaccessible (opaque).

***Edited by Moderator: Pooja Gadige to add platform capability tag***
To see attachments, please log in.
Pega Platform 7.2
Dev/Designer Studio
User Experience
Healthcare and Life Sciences
Senior System Architect

Posted: 3 years ago
Posted: 17 Sep 2021 5:49 EDT
Angel Hermira (Angel Hermira)
PEGA
Principal Product Manager, Robotics
Pegasystems Inc.
GB

@Abhishek0256 ,

Hi,

Similarly to what we do when we need to invoke external services from the browser in a Pega Application (i.e. Google Analytics). You need to declare the list of known/authorise exceptions in the host application Content Security Policy (CSP). In Pega we do this in the Application's security tab with the CSP rule. In your case you need to do it in the host application. The CSP needs to be present allowing the call to the Pega service in the main HTML form headers as CORS declaration. You may also need to include the CORS declaration in the web.xml file in the hosting server.

Have a look at https://www.w3.org/TR/referrer-policy/ and https://www.w3.org/TR/CSP3/ to understand a bit better the issue and what you need to do.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice