Skip to Content

CORS issue while trying to authenticate at Netweaver 7.40


I'm trying to authenticate and retrieve the x-csrf-token in a webapp that is not running on the Netweaver 7.40 system.

If I set a custom header ('Authorization': 'Basic .....'), the browser sends a OPTIONS preflight request, that is being rejected due to missing CORS headers. If the preflight request is being rejected, all following requests, like the GET request to retrieve the x-csrf-token, are being blocked automatically.

Is there any possibility to set cors headers for OPTIONS requests? In a Electron environment, the request is let through and works, because there is no OPTIONS preflight request and Electron doesn't seem to obey CORS headers.

cors.png (18.3 kB)
Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Posted on Jul 16, 2020 at 01:20 PM

    Hi Tomas,

    CORS issue is completely unrelated to token or authorization issue. It is simply a browser security feature that blocks any cross domain http access. If you're working on a development environment , there's a quick and easy way (but less secure) which is to disable the cross-origin check. I won't be going into detail about that and also other ways to solve it because there's a lot of materials out there that is already talking about this topic. One example is the blog post below:

    Add a comment
    10|10000 characters needed characters exceeded

    • The SAP Gateway doesn't add or doesn't seem to have the option to add CORS headers on reponses to OPTIONS requests. That's why modern browsers block following requests on client side. Therefore, even a request with "x-csrf-token":"fetch" header won't be let through.

      The browser sends the OPTIONS preflight, because we need to modify the standard http headers to add an "Authoriztation" header and the "x-csrf-token":"fetch" header mentioned above.

      let request = new XMLHttpRequest();'GET', this.serviceURL);
      request.setRequestHeader('Authorization', 'Basic ' + basicAuthToken); // <-Triggers OPTIONS preflight
      request.setRequestHeader('x-csrf-token', 'fetch');
      request.addEventListener('load', function (event) {
         if (request.status >= 200 && request.status < 300) {
         } else {
            console.warn(request.statusText, request.responseText);

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.