cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CORS issue consuming HANA XS service (SPS9)

Go to solution
Former Member

on ‎06-11-2015 7:09 PM

0 Kudos

I'm not able to get CORS working for XS services running on my HANA rev92 server.  My JavaScript client is returning "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:36262' is therefore not allowed access."

The issue is similar to and I've tried all the remedies suggested there.  If you read the exchange carefully, you'll see that although the narrower question about CORS with authentication is answered, people have added to the post with questions that haven't been answered. In particular, people are wondering if CORS is working on SPS9.


So, here are my questions:


  1. In the other discussion, Herr Jung says we should enable CORS using the XS Admin tool, not with the .xsaccess file.  It isn't clear to me what happens if the settings in .xsaccess differ from settings in the tool.  Is it correct to assume that the XS Admin tool overrides .xsaccess?
  2. These settings below are not working for me.  What am I missing? Do I need to allow "Exposed Headers"?
  3. I can't figure out how to add items to the "Exposed Headers" section. I can open the "Add Exposed Header" dialog but pressing the "Add" button results in JavaScript errors. See below for screenshots. Is this a bug?  If so, Is there a workaround?


Add Exposed Header dialog not working:

Pressing Add Button results in JavaScript Error:

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

FabioPagoti
Active Contributor
‎06-12-2015 5:04 AM
0 Kudos

Hi Michael!

I'm sure of:

  • XS Admin doesn't overwrite your xsaccess file
  • You shouldn't add an exposed header to make CORS work

I'm would recheck the content of your .xsaccess file in terms of any cors configuration

Silly question: are you setting the CORS configuration for the right package on XS Admin?

If none of this works, I would try to remove any  "prevent_xsrf" configuration from your .xsaccess file or set it to false. I cannot explain why but for more than once my problem trying to access a resource was this configuration.

Show replies
Show replies
Former Member
‎06-23-2015 4:47 PM
0 Kudos

I rechecked and the CORS configuration was attempted in the correct package.  As I understand it, the settings propagate from the parent, but to be safe, I tried both the root of the application and the sub-package where the services live.

Answers (4)

Answers (4)

draschke
Active Contributor
‎12-05-2015 6:52 PM
0 Kudos

Hi Michael,

I struggled also with the "exposed headers" and found the solution, where you have to set the parameters. But still I'm struggling with the CORS !

Show replies
Show replies
Former Member
‎07-31-2015 8:00 PM
0 Kudos

"Exposed Headers" property should not be empty as it allows client JavaScript to fetch an XSRF token.

The key part in CORS implementation is to get HANA XS to authenticate a user and retrieve an XSRF token before making "useful" CORS calls. That is why Jung's code example makes two web-service calls.


My .xsaccess has the following configuration that makes above possible:


        "allowHeaders": [

            "Accept",

            "Authorization",

            "Content-Type",

            "X-CSRF-Token"

        ],

        "exposeHeaders": [

            "x-csrf-token"

        ]

Alexei

Show replies
Show replies
Former Member
‎06-22-2015 3:37 PM
0 Kudos

Hi Michael,

"Is it correct to assume that the XS Admin tool overrides .xsaccess?" - If there are for one and the same package, the configurations specified via the XS Admin tool take precedence over the .xsaccess file.

"Do I need to allow "Exposed Headers"?" - If you use headers that are not simple, you must
explicitly add them to the allowed headers list.

"I can open the "Add Exposed Header" dialog but pressing the "Add" button results in JavaScript errors. See below for screenshots. Is this a bug? If so, Is there a workaround?" - It could be a bug in the XS Admin tool in rev92, but I'm not completely sure. A possible workaround is to add the exposed headers to the .xsaccess file for this package (or to a parent package).

Also it would be helpful if you provide the request headers for the request that fails.

Best regards,

Stefan

Show replies
Show replies
Former Member
‎06-23-2015 4:50 PM
0 Kudos

Stephan,

Thanks for the link to "simple" headers.  I still suspect that CORS isn't working properly on SPS92.

I ended up working around the issue by changing to JSONP. The switch was simple and effective.

Former Member
‎06-12-2015 9:41 AM
0 Kudos

I have exactly the same issue over here.  Read all the posts and tried about everything.

Show replies
Show replies
Ask a Question