Page 1 of 1

CORS policy and HttpRequest

Posted: Thu May 09, 2019 4:40 pm
by sotos
Hello,

I am trying to POST some content via #PRIM_WEB.HttpRequest to an external website which it is going to redirect from our webpage to
another if there is a success.

I receive the following answer from the browser:

Access to XMLHttpRequest at 'https://-destination-' from origin 'https://-origin-'
has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin'
header is present on the requested resource.

Is there a workaround? Am I supposed to add a specific header to the request?

thanks,
Sotiris

Re: CORS policy and HttpRequest

Posted: Thu May 09, 2019 4:56 pm
by tsupartono
It's the destination website that needs to set the Access-Control-Allow-Origin header, not your RDML code.
The error basically is saying that the destination website does not allow your web app to use its resource.
Do you have control over the destination server? Can you make a change to it?

Re: CORS policy and HttpRequest

Posted: Thu May 09, 2019 5:06 pm
by sotos
Thanks for the reply,

No unfortunately I do not have any control over the destination server (which is about online payment).

Is there any work around?
What If I make the POST from the server using #XPRIM_HttpRequest or even INTEGRATOR?

Re: CORS policy and HttpRequest

Posted: Thu May 09, 2019 5:25 pm
by tsupartono
Yes you can definitely do it server-side using XPRIM_HttpRequest or Integrator.

Most HTTP request contains secret information such as API keys/credentials anyway, so generally they must be done from the server (as the browser is not a secure environment).

Re: CORS policy and HttpRequest

Posted: Fri May 31, 2019 11:13 am
by Tim McEntee
Typically you do this communication with payment provider on the server side.

Unless you have a specific requirement. I once did a client side solution with VL/Win and ActiveX because the Franchisor who ran the server wanted the Franchisee (client side) to take responsibility for the credit card transactions.

Otherwise do it on the server. It is much safer and easier for all that way.