Layer7 Access Management

Expand all | Collapse all

Access-Control-Allow-Origin missing

Jump to Best Answer
  • 1.  Access-Control-Allow-Origin missing

    Posted 10-06-2017 10:16 AM

    Hi,
    We have an application which is protected by siteminder. The application is deployed in https://abc.e.example.net domain and weblogin in https://cd-appstest.e.example.net domain. Now when we call protected resource https://abc.e.example.net/protected, there is a redirection to weblogin but there are no contents (blank page). We received the following error message "
    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cd-appstest.e.example.net/internal/login?TYPE=33554433&REALMOID=06-f7aa5cc5-e491-11cd-8d98-862e00180001&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$N5MjfOF7Ss%2b4YvM6g38sJLDA8KiTWcgLkNWF%2bhD78DX9sULYtX9%2f4dPFqsx7VsXM2W5e5zBrrISBqpTX56FUJB4TnUMmOHN&TARGET=$SM$https%3a%2f%2fabc%2ee%example%2enet%2fprotected%2fcommon%2fresources%2fusers%2f_meta%2fcurrent. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). "

    As depicted in error message Access-Control-Allow-Origin header is missing in server response.This issue is very specific to firefox and chrome. Based on firefox documentation (HTTP access control (CORS) - HTTP | MDN ) we have noted that if there are requests to a resource from a different domain, protocol, or port to its own, then Access-Control-Allow-Origin has to be set to the origin. Since here https://abc.e.example.net is the origin we need to set this as Access-Control-Allow-Origin in webserver corresponding to https://cd-appstest.e.example.net domain.

    Both are in the same domain i.e. .e.example.net. Then why is this a problem ?
    We are providing SSO to many application and we had no such issues till now. The solution is currently working with all the browsers except this case.
    I have also gone through the article These cross domain XMLHttpRequest fails to reach the actual server . This is quite different than my case in the sense mine is in same domain.

    Can anyone help me on this with possible solutions ?

    Best Regards,
    Murali



  • 2.  Re: Access-Control-Allow-Origin missing
    Best Answer

    Posted 10-11-2017 01:54 AM

    Hi Muralikrishna,

     

    I believe this is configuration issue on the application  abc.e.example.net side.

    The web server hosting this app seems to be currently implementing "The Same Origin Policy".

     

    You will need to configure it to allow the redirect to cd-appstest.e.example.net or all domain (*)

    Something like this (if Apache):

    These cross domain XMLHttpRequest fails to reach the actual server 

    .htaccess - handle multiple domains with Access-Control-Allow-Origin header in Apache - Stack Overflow 

     

    Regards,

    Ujwol