CORS policy issue
I am new for smart view. I am trying the examples from csui-sdk, got following errors:
Access to XMLHttpRequest at 'cs-server/cs.exe/api/v2/nodes/2000?actions=docpreview&actions=default&actions=open&actions=download&actions=browse&fields=properties&fields=versions%7Bowner_id%7D.element(0)&expand=properties%7Breserved_user_id%7D&state=&metadata=&perspective=' from origin 'http://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
What configuration I supposed to do here to make this error goes away?
Thanks.
Best Answers
-
Tim,
So you're developing your application on localhost, embedding one of the Smart View widgets in your app/html, and everything is configured to use cs-server (as the server hosting the REST APIs that will supply data to the widget)…..right?
Firstly, on Content Server (cs-server) check the admin settings and security settings - at least on the latest version (24.1), this should have following setting available.
I believe by default this will be empty. Note that for test purposes, you can probably leave this blank.
Additionally, read
.In particular note that - "For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example,
fetch()
andXMLHttpRequest
follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers."This is why you're getting the message - the current setup doesn't allow for a cross-origin request to occur, since localhost and cs-server are considered to be from different domains.
You'll need to resolve this in your setup - do some googling to determine what will work best (PS - rather than give an answer, I'm giving guidance as I believe this is best to encourage better understanding of CORS, since you're going to need to deal with it properly at some point :) )
Regards,
David
2 -
You might read this and
and then see my response
My intention was to actually show you as in an example this part
The chapter is called 7.1.1 – Integrating the folder browse widget in case OT changes or strips the URL
We integrate this in a third party as in a JSP. In that JSP I have the same code as in the example. I ran into CORS problems and once I switched my authentication to not use OTCS but OTDS it vanished . A programmer in OT thinks that OTDS has a mechanism that mitigates CORS For the example OT has credentials: {
username:'<username>',
password:'<password>'
} We couldn't put that in a product so I changed that to an OTDSTicket similar to what RESTAPI expects in a postman call.I also have the liberty of my JSP with which I can get that on the server side. Note this is not a true smartui in that respect but something the SAP XECM people have for the world to use.
@David Henshaw is correct CORS has to be mitigated and I first started tinkering with OTDS as it was getting an OTDS error about CORS.OTDS has a CORS filter added so it seems better for that purpose.NO warranties but try it and see.
1
Answers
-
Does standard SmartUI on your CS server work look at the network tab and see if gives you some clues. You can also use postman to simulate what you are doing
Times instead of OTCSTicket in your header OTDSTicket will get you faster although in smartui projects it is smart enough to handle authentication without you having to figure it out.
0 -
Tim,
So you're developing your application on localhost, embedding one of the Smart View widgets in your app/html, and everything is configured to use cs-server (as the server hosting the REST APIs that will supply data to the widget)…..right?
Firstly, on Content Server (cs-server) check the admin settings and security settings - at least on the latest version (24.1), this should have following setting available.
I believe by default this will be empty. Note that for test purposes, you can probably leave this blank.
Additionally, read
.In particular note that - "For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example,
fetch()
andXMLHttpRequest
follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers."This is why you're getting the message - the current setup doesn't allow for a cross-origin request to occur, since localhost and cs-server are considered to be from different domains.
You'll need to resolve this in your setup - do some googling to determine what will work best (PS - rather than give an answer, I'm giving guidance as I believe this is best to encourage better understanding of CORS, since you're going to need to deal with it properly at some point :) )
Regards,
David
2 -
You might read this and
and then see my response
My intention was to actually show you as in an example this part
The chapter is called 7.1.1 – Integrating the folder browse widget in case OT changes or strips the URL
We integrate this in a third party as in a JSP. In that JSP I have the same code as in the example. I ran into CORS problems and once I switched my authentication to not use OTCS but OTDS it vanished . A programmer in OT thinks that OTDS has a mechanism that mitigates CORS For the example OT has credentials: {
username:'<username>',
password:'<password>'
} We couldn't put that in a product so I changed that to an OTDSTicket similar to what RESTAPI expects in a postman call.I also have the liberty of my JSP with which I can get that on the server side. Note this is not a true smartui in that respect but something the SAP XECM people have for the world to use.
@David Henshaw is correct CORS has to be mitigated and I first started tinkering with OTDS as it was getting an OTDS error about CORS.OTDS has a CORS filter added so it seems better for that purpose.NO warranties but try it and see.
1 -
@David Henshaw Than you very much.
0 -
@Tim Jian pleasure. sounds like you've followed the article I posted and are on top of things…..
Now I'll give away the "easy solution".
You'd probably avoid this for development purpose by hosting the page where you're embedding the widget on the same server and domain as cs-server, as that way the calling page is in same domain as the resource being called 😉
Sure, that may mean having to make changes on your code on the local IDE you're using and then publishing up…..perhaps something you could automate….
0
Categories
- All Categories
- 123 Developer Announcements
- 54 Articles
- 152 General Questions
- 148 Thrust Services
- 57 Developer Hackathon
- 37 Thrust Studio
- 20.6K Analytics
- 4.2K AppWorks
- 9K Extended ECM
- 918 Core Messaging
- 84 Digital Asset Management
- 9.4K Documentum
- 32 eDOCS
- 186 Exstream
- 39.8K TeamSite
- 1.7K Web Experience Management
- 8 XM Fax
- Follow Categories