Symantec Access Management

  • 1.  Access-Control-Allow-Origin missing

    Posted Oct 06, 2017 10:16 AM

    Hi,
    We have an application which is protected by siteminder. The application is deployed in https://abc.e.example.net domain and weblogin in https://cd-appstest.e.example.net domain. Now when we call protected resource https://abc.e.example.net/protected, there is a redirection to weblogin but there are no contents (blank page). We received the following error message "
    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cd-appstest.e.example.net/internal/login?TYPE=33554433&REALMOID=06-f7aa5cc5-e491-11cd-8d98-862e00180001&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$N5MjfOF7Ss%2b4YvM6g38sJLDA8KiTWcgLkNWF%2bhD78DX9sULYtX9%2f4dPFqsx7VsXM2W5e5zBrrISBqpTX56FUJB4TnUMmOHN&TARGET=$SM$https%3a%2f%2fabc%2ee%example%2enet%2fprotected%2fcommon%2fresources%2fusers%2f_meta%2fcurrent. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). "

    As depicted in error message Access-Control-Allow-Origin header is missing in server response.This issue is very specific to firefox and chrome. Based on firefox documentation (HTTP access control (CORS) - HTTP | MDN ) we have noted that if there are requests to a resource from a different domain, protocol, or port to its own, then Access-Control-Allow-Origin has to be set to the origin. Since here https://abc.e.example.net is the origin we need to set this as Access-Control-Allow-Origin in webserver corresponding to https://cd-appstest.e.example.net domain.

    Both are in the same domain i.e. .e.example.net. Then why is this a problem ?
    We are providing SSO to many application and we had no such issues till now. The solution is currently working with all the browsers except this case.
    I have also gone through the article These cross domain XMLHttpRequest fails to reach the actual server . This is quite different than my case in the sense mine is in same domain.

    Can anyone help me on this with possible solutions ?

    Best Regards,
    Murali



  • 2.  Re: Access-Control-Allow-Origin missing
    Best Answer

    Posted Oct 11, 2017 01:54 AM

    Hi Muralikrishna,

     

    I believe this is configuration issue on the application  abc.e.example.net side.

    The web server hosting this app seems to be currently implementing "The Same Origin Policy".

     

    You will need to configure it to allow the redirect to cd-appstest.e.example.net or all domain (*)

    Something like this (if Apache):

    These cross domain XMLHttpRequest fails to reach the actual server 

    .htaccess - handle multiple domains with Access-Control-Allow-Origin header in Apache - Stack Overflow 

     

    Regards,

    Ujwol



  • 3.  RE: Re: Access-Control-Allow-Origin missing

    Posted Feb 27, 2023 09:35 AM

    Hello,

    I have same issue on my https://netders.com page. I'm using Cloudflare pages and i tried to create new  reverse proxy. But i can't. Can someone who knows cloudflare reverse proxy help me?




  • 4.  RE: Access-Control-Allow-Origin missing

    Posted Sep 20, 2023 09:28 AM

    To resolve the CORS issue, configure the web server at https://cd-appstest.e.example.net to include the Access-Control-Allow-Origin header with the value set to "https://abc.e.example.net." This allows cross-origin requests from the protected resource domain. Ensure you've considered security implications when configuring CORS.




  • 5.  RE: Access-Control-Allow-Origin missing

    Posted Sep 28, 2023 12:03 PM

    Hello

    To resolve the Cross-Origin Request Blocked error and missing 'Access-Control-Allow-Origin' header issue:

    1. Configure the web server on https://cd-appstest.e.example.net to include the 'Access-Control-Allow-Origin' header, specifying the origin https://abc.e.example.net.
    2. Optionally, configure other CORS headers as needed.
    3. Test your application in Firefox and Chrome to ensure the issue is resolved.

    You will need to configure it to allow the redirect to cd-appstest.e.example.net or all domain (*)

    Something like this (if Apache):

    https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=1b012c7e-1d75-424a-9164-3d26fa1ee541&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer#bm1b012c7e-1d75-424a-9164-3d26fa1ee541/Power BI Certification

    .htaccess - handle multiple domains with Access-Control-Allow-Origin header in Apache - Stack Overflow 

    Thank you.