CORS policy and HttpRequest

This Q&A forum allows users to post and respond to "How Do I Do ....." questions. Please do not use to report (suspected) errors - you must use your regional help desk for this. The information contained in this forum has not been validated by LANSA and, as such, LANSA cannot guarantee the accuracy of the information.
Post Reply
sotos
Posts: 24
Joined: Fri Feb 09, 2018 11:25 pm

CORS policy and HttpRequest

Post by sotos » Thu May 09, 2019 4:40 pm

Hello,

I am trying to POST some content via #PRIM_WEB.HttpRequest to an external website which it is going to redirect from our webpage to
another if there is a success.

I receive the following answer from the browser:

Access to XMLHttpRequest at 'https://-destination-' from origin 'https://-origin-'
has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin'
header is present on the requested resource.

Is there a workaround? Am I supposed to add a specific header to the request?

thanks,
Sotiris

tsupartono
Posts: 63
Joined: Wed Jan 25, 2017 11:12 am

Re: CORS policy and HttpRequest

Post by tsupartono » Thu May 09, 2019 4:56 pm

It's the destination website that needs to set the Access-Control-Allow-Origin header, not your RDML code.
The error basically is saying that the destination website does not allow your web app to use its resource.
Do you have control over the destination server? Can you make a change to it?

sotos
Posts: 24
Joined: Fri Feb 09, 2018 11:25 pm

Re: CORS policy and HttpRequest

Post by sotos » Thu May 09, 2019 5:06 pm

Thanks for the reply,

No unfortunately I do not have any control over the destination server (which is about online payment).

Is there any work around?
What If I make the POST from the server using #XPRIM_HttpRequest or even INTEGRATOR?

tsupartono
Posts: 63
Joined: Wed Jan 25, 2017 11:12 am

Re: CORS policy and HttpRequest

Post by tsupartono » Thu May 09, 2019 5:25 pm

Yes you can definitely do it server-side using XPRIM_HttpRequest or Integrator.

Most HTTP request contains secret information such as API keys/credentials anyway, so generally they must be done from the server (as the browser is not a secure environment).

Post Reply