CORS preflight with webspeed on 10.2b - Forum - OpenEdge Development - Progress Community

CORS preflight with webspeed on 10.2b

 Forum

CORS preflight with webspeed on 10.2b

This question is not answered

Hi All,

i'm trying to develop a webspeed api in 10.2b that receives and returns json via a POST. this is to be called from some other web page (an angular app - eventually) and so chrome is using cors for the cross site verification. I'm struggling to get this to work and wondered if anyone has done this before and has any tips etc.

for my normal data response i'm sending...

output-http-header("Access-Control-Allow-Origin", "*"). 

output-http-header("Access-Control-Allow-Methods", "GET, POST, OPTIONS, HEAD").

output-content-type("application/json":U).

/* populate dsResponse somehow */

 DATASET dsResponse:WRITE-JSON("stream":U, "webstream":U).

this seems to work OK.

when the preflight is required i tried checking the request and short circuiting the response...

IF request_method = "OPTIONS" THEN
DO:

output-http-header("Access-Control-Allow-Origin", "*"). 
output-http-header("Access-Control-Allow-Methods", "GET, POST, OPTIONS, HEAD").

return.

END.

This doesn't seem to be working. I;m getting bad gate-way error and No 'Access-Control-Allow-Origin' header is present on the requested resource.

Am i barking up the wrong tree here? Is it possible to handle CORS in this manner.

I've also googled and discovered possible IIS config option or using a cors proxy. Anyone any experience with these?

AKJ

All Replies
  •  
    Webspeed messenger only works with GET and POST.  Maybe someone can correct me, but I don’t think PUT, OPTIONS, or HEAD work.  The messenger doesn’t pass them through.
     
    You have to switch to PASOE to have the other verbs work.
     
     
  • We're on 10.2b and managed to work around this in a couple of different ways (in dev anyway)

    1 - If you are using Angular and have a live server running (by default on locahost:4200), configure a proxy as per the examples here: medium.freecodecamp.org/the-best-ways-to-connect-to-the-server-using-angular-cli-b0c6b699716c

    2 - if your API (i.e. the webpseed bit) is fronted by an Apache web-server, you can set the headers in the httpd.conf as follows (this still requires the changes that you've made to set the access control headers;

    Listen 80

    <VirtualHost *:80>

       DocumentRoot "${SRVROOT}"

       ServerName www.example.com

       # Other directives here

       Header set Access-Control-Allow-Origin "http://localhost:4200"

       Header set Access-Control-Allow-Credentials "true"

       Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"

    </VirtualHost>

  • You're correct that it says that classic only supports GET/POST, but if I put debug messages in my "IF request_method = "OPTIONS" THEN ..." block it IS executing. Strange.

  • managed to get this working with IIS cors plugin and modifying web.config...

    <?xml version="1.0" encoding="utf-8"?>

    <configuration>

    <system.webServer>

       <cors enabled="true">

           <add origin="https://myspa.mycompany.co.uk">

           <allowHeaders allowAllRequestedHeaders="true" />

           <allowMethods>

               <add method="GET" />

               <add method="HEAD" />

               <add method="POST" />

           </allowMethods>

         </add>

       </cors>

    </system.webServer>

    </configuration>