Relaxing Same Origin Policy on IAC
We are currently using Pega 7.1.7 in the cloud as well as IAC. We are integrating Pega into a 3rd party asp.net based application. The application is working however we are getting errors in the JavaScript console related to the same origin policy, which are rightfully valid.
For instance:
XMLHttpRequest cannot load https://someclient.pegacloud.com/prgateway/PRPCGateway. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://secure.somedomain.com' is therefore not allowed access.
pzpega_ui_backbone_1798164053!pzpega_ui_jstree_1188219908!pzpega_ui_designer_tree_bundle_12945517662!!.js:5 Uncaught SecurityError: Blocked a frame with origin "https://someclient.pegacloud.com" from accessing a frame with origin "https://secure.somedomain.com". Protocols, domains, and ports must match.
We are currently using Pega 7.1.7 in the cloud as well as IAC. We are integrating Pega into a 3rd party asp.net based application. The application is working however we are getting errors in the JavaScript console related to the same origin policy, which are rightfully valid.
For instance:
XMLHttpRequest cannot load https://someclient.pegacloud.com/prgateway/PRPCGateway. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://secure.somedomain.com' is therefore not allowed access.
pzpega_ui_backbone_1798164053!pzpega_ui_jstree_1188219908!pzpega_ui_designer_tree_bundle_12945517662!!.js:5 Uncaught SecurityError: Blocked a frame with origin "https://someclient.pegacloud.com" from accessing a frame with origin "https://secure.somedomain.com". Protocols, domains, and ports must match.
pzpega_ui_backbone_1798164053!pzpega_ui_jstree_1188219908!pzpega_ui_designer_tree_bundle_12945517662!!.js:5 Uncaught TypeError: Cannot read property 'start' of undefined
We would like to relax the same origin policy on the IAC instance by enabling cross-origin resource sharing (CORS). Specially, adding “https://secure.somedomain.com” to the Access-Control-Allow-Origin header. See:
http://enable-cors.org/server_tomcat.html
The application itself is working but we do not want these erros and would like the DOMSto be accessible by the iframes. Does Pega have any other clients that are doing this? What does Pega recommend?
Thanks,
Pegasystems Inc.
US
In fact, prgateway should not be needed nor should you sacrificing CORS. You can setup a reverse proxy between your own web app hosting IAC gadgets and that of the pega application servers. Check how to setup reverse proxy here: https://pdn.pega.com/how-configure-reverse-proxy-server. Option A.
Healthfirst
US
Hi Keven,
Thanks for your response. A reverse proxy does not solve this issue for us due to constraints on the 3rd Party host and is one of the reasons why we are looking at the CORS header.
Thanks,
David
Pegasystems Inc.
US
David,
I am be very interested to know the details of your topology and understand why not. Looks like your prpc is running in pega cloud? Have you worked with pegacloud team if that is the case?