Skip to Content

CORS Issue while consuming Hana's OData


While trying to consume data from a OData JSON URL from Hana in our local application, we encounter an error as below,

XMLHttpRequest cannot load http//someurl&$format=json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:XXXX' is therefore not allowed access.

Since this is clearly a Cross Origin issue, we tried adding CORS parameters as below in .xsaccess file (as in Hana Developer Guide) to allow Cross Origin requests, but we are still shown as same error as above.

"cors" : // Permit cross-origin browser requests [ { "enabled" : true } ]

After going through few posts/blogs, we understood below parameter needs to be enabled in the Response Header of Odata URL,

"Access-Control-Allow-Origin" = "*";

But we are unsure on which file/place we will need to add this parameter.

Please help us in understanding the below queries,

  1. Do we need to add "Access-Control-Allow-Origin" = "*" to request header even of we enable CORS in ".xsaccess" file?
  2. If yes, in which file/place we need to add this package (since we're very much a DB resource we aren't sure on where to add in the Odata hana package) 

Thanks in advance!



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Dec 31, 2013 at 01:15 PM

    Adding the CORS entry to the .xsaccess file will create the header. However this only works for anonymous services.  If you require authentication then CORS won't work because it doesn't add the header to the authentication response. 

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 25, 2015 at 09:04 PM

    Dear colleagues,

    were you ever able to solve this issue?

    XMLHttpRequest cannot load http://externalserver/SalesOrder/services/SalesOrder.xsodata/$metadata. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.

    ODataMetadata.js:6 Uncaught (in promise) Object {message: "HTTP request failed", request: Object, response: Object, statusCode: 0, statusText: ""…}

    I'm facing this while executing the code below:

    var oModel = new sap.ui.model.odata.v2.ODataModel("http://externalserver/SalesOrder/services/SalesOrder.xsodata");


    My .xsaccess file reads like this:


        "exposed": true


    If I make a common XMLHttpRequest to this address it works:


    My Hana XS app is configured like this:


    Security.PNG (31.7 kB)
    cors.PNG (38.3 kB)
    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Ann Zhang

      i manage to make it work :

      here are the headers I'm using :

      enter them directly in the XS Admin UI for SP9

      in the CORS tab :

      check the 'enable Cross Origin'

      add you server in the 'Allowed Origin'

      put the following in 'Allowed Headers'

      Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control

      and the following in 'Exposed Headers '


      Maybe i don't need them all , but at least it works like that for me

      then check ' Get, head, post,options' inthe 'allowed Methods'

      then Make sure you have an AnonConn.xssqlcc and that in the admin interface  in SQL COneection Configuration you set a login and password of a user that has access to your package. passwd was not used in SP8 but i guess this is now mandatory with SP9, if you don't set this it will not work

      then i don't know which language you use (php, javascript) on the httprequest client side , but here is few line of javascript code which works for me :

      var request=new XMLHttpRequest();


 , url, true); // asynchronous call




           request.withCredentials = false;

           request.setRequestHeader("Accept", "application/json");



      Setting too many headers on access-control on the request make it break especially with Chrome. It was easier to make it work with firefox.

      I hope this will help you



  • avatar image
    Former Member
    Jul 27, 2015 at 11:27 PM

    Denis Descaus's Solution below worked for me.

    I had CORS working on SPS 86 and then we moved to 96 and all the CORS requests broke.

    His settings worked like a charm!

    We added/replaced our ajax request attributes with the following:


    xhrFields: {withCredentials: false},

    headers : {"Accept" : "application/json"},

    Add comment
    10|10000 characters needed characters exceeded