CORS policy issue

I am new for smart view. I am trying the examples from csui-sdk, got following errors:

Access to XMLHttpRequest at 'cs-server/cs.exe/api/v2/nodes/2000?actions=docpreview&actions=default&actions=open&actions=download&actions=browse&fields=properties&fields=versions%7Bowner_id%7D.element(0)&expand=properties%7Breserved_user_id%7D&state=&metadata=&perspective=' from origin 'http://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

What configuration I supposed to do here to make this error goes away?

Thanks.

Best Answers

  • David Henshaw
    David Henshaw Member
    #2 Answer ✓

    Tim,

    So you're developing your application on localhost, embedding one of the Smart View widgets in your app/html, and everything is configured to use cs-server (as the server hosting the REST APIs that will supply data to the widget)…..right?

    Firstly, on Content Server (cs-server) check the admin settings and security settings - at least on the latest version (24.1), this should have following setting available.

    I believe by default this will be empty. Note that for test purposes, you can probably leave this blank.

    Additionally, read https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS .

    In particular note that - "For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, fetch() and XMLHttpRequest follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers."

    This is why you're getting the message - the current setup doesn't allow for a cross-origin request to occur, since localhost and cs-server are considered to be from different domains.

    You'll need to resolve this in your setup - do some googling to determine what will work best (PS - rather than give an answer, I'm giving guidance as I believe this is best to encourage better understanding of CORS, since you're going to need to deal with it properly at some point :) )

    Regards,

    David

  • appuq
    appuq Member
    edited February 21 #3 Answer ✓

    You might read this and https://support.opentext.com/csm?sys_kb_id=612b536a87a51950b3f185d8dabb35a4&id=kb_article_view&sysparm_rank=3&sysparm_tsqueryId=24c301bc47a44a10fb8e8aa7536d4344

    and then see my response

    My intention was to actually show you as in an example this part https://webapp.opentext.com/piroot/eep/v200300/eep-cgi/en/html/jsframe.htm?integrate-widgets-folder

    The chapter is called 7.1.1 – Integrating the folder browse widget in case OT changes or strips the URL

    We integrate this in a third party as in a JSP. In that JSP I have the same code as in the example. I ran into CORS problems and once I switched my authentication to not use OTCS but OTDS it vanished . A programmer in OT thinks that OTDS has a mechanism that mitigates CORS For the example OT has credentials: {

                   username:'<username>',
    
                   password:'<password>'
    
                 } We couldn't put that in a product so I changed that to an OTDSTicket similar to what RESTAPI expects in a postman call.I also have the liberty of my JSP with which I can get that on the server side. Note this is not a true smartui in that respect but something the SAP XECM people have for the world to use.
    
                 @David Henshaw is correct CORS has to be mitigated and I first started tinkering with OTDS as it was getting an OTDS error about CORS.OTDS has a CORS filter added so it seems better for that purpose.NO warranties but try it and see.
    

Answers

  • Does standard SmartUI on your CS server work look at the network tab and see if gives you some clues. You can also use postman to simulate what you are doing

    Times instead of OTCSTicket in your header OTDSTicket will get you faster although in smartui projects it is smart enough to handle authentication without you having to figure it out.

  • Thank you @appuq. I am not sure we understand each other. I am not talking about CS existing Smart View. I am trying to integrate CS smart view widgets into third party Apps.

  • David Henshaw
    David Henshaw Member
    #6 Answer ✓

    Tim,

    So you're developing your application on localhost, embedding one of the Smart View widgets in your app/html, and everything is configured to use cs-server (as the server hosting the REST APIs that will supply data to the widget)…..right?

    Firstly, on Content Server (cs-server) check the admin settings and security settings - at least on the latest version (24.1), this should have following setting available.

    I believe by default this will be empty. Note that for test purposes, you can probably leave this blank.

    Additionally, read https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS .

    In particular note that - "For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, fetch() and XMLHttpRequest follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers."

    This is why you're getting the message - the current setup doesn't allow for a cross-origin request to occur, since localhost and cs-server are considered to be from different domains.

    You'll need to resolve this in your setup - do some googling to determine what will work best (PS - rather than give an answer, I'm giving guidance as I believe this is best to encourage better understanding of CORS, since you're going to need to deal with it properly at some point :) )

    Regards,

    David

  • appuq
    appuq Member
    edited February 21 #7 Answer ✓

    You might read this and https://support.opentext.com/csm?sys_kb_id=612b536a87a51950b3f185d8dabb35a4&id=kb_article_view&sysparm_rank=3&sysparm_tsqueryId=24c301bc47a44a10fb8e8aa7536d4344

    and then see my response

    My intention was to actually show you as in an example this part https://webapp.opentext.com/piroot/eep/v200300/eep-cgi/en/html/jsframe.htm?integrate-widgets-folder

    The chapter is called 7.1.1 – Integrating the folder browse widget in case OT changes or strips the URL

    We integrate this in a third party as in a JSP. In that JSP I have the same code as in the example. I ran into CORS problems and once I switched my authentication to not use OTCS but OTDS it vanished . A programmer in OT thinks that OTDS has a mechanism that mitigates CORS For the example OT has credentials: {

                   username:'<username>',
    
                   password:'<password>'
    
                 } We couldn't put that in a product so I changed that to an OTDSTicket similar to what RESTAPI expects in a postman call.I also have the liberty of my JSP with which I can get that on the server side. Note this is not a true smartui in that respect but something the SAP XECM people have for the world to use.
    
                 @David Henshaw is correct CORS has to be mitigated and I first started tinkering with OTDS as it was getting an OTDS error about CORS.OTDS has a CORS filter added so it seems better for that purpose.NO warranties but try it and see.
    

  • appuq
    appuq Member
    edited February 21 #8
  • @David Henshaw Than you very much.

  • @appuq This is much more helped. I am practicing my smart view based on links you provided above. Thank you very much.

  • @Tim Jian pleasure. sounds like you've followed the article I posted and are on top of things…..

    Now I'll give away the "easy solution".

    You'd probably avoid this for development purpose by hosting the page where you're embedding the widget on the same server and domain as cs-server, as that way the calling page is in same domain as the resource being called 😉

    Sure, that may mean having to make changes on your code on the local IDE you're using and then publishing up…..perhaps something you could automate….