Hi,
I have created an external page that contains calls to show smart UI widgets. There are few widgets that just work without any issues, however some produce CORS related error messages - for instance, browse widget.
I've seen CORS warnings on properties page where a) creator / owner has photo set and b) document first page thumbnail, as well as for 16.2.7 when you switch to new grid view (similarly as properties b, this loads thumbnails).
When examining headers of any request, I can see that sometimes Access-Control-Allow-Origin is set to correct "external page", sometimes it is set to "null" while also in some cases it is missing at all. On web server where CS is installed, we don't set any headers at all.
So where do this header come from? OTDS? And why there are different values? Does /widgets?crossOrigin=true JS scripts has to do something with this?
Let's examine each individual request:
a) Photo on properteis page for owner/creator user
OPTIONS :: /api/v1/members/3964/photo?v=34775.1 :: starts with pre-flight check, which is successfull - response 200 and correct header set
GET :: /api/v1/members/3964/photo?v=34775.1 :: response 200, but Access-Control-Allow-Origin value is "null" and therefore CORS error and photo not loaded [CORS header ‘Access-Control-Allow-Origin’ does not match ‘null’]
b) thumbnail (the same on properties page / grid view)
OPTIONS :: /api/v1/nodes/459250/thumbnails/medium/content?suppress_response_codes :: also starts with pre-flight check, but this time it fails with 500 and Access-Control-Allow-Origin is not available at all [CORS header ‘Access-Control-Allow-Origin’ missing]
Why a-get has value "null"? And why b fails in first place but a-options is ok?
Also, since some requests have this header set already, I can't modify web server to include the header on CS cgi mapping as that will cause browsers to fail loading CS at all. I did some tests with that and each browser responds differently...
Does anybody have more insight on this? If header presence is controlled by CS, could this be a bug then?
Thanks,
Ugis
