Access-Control-Allow-Origin missing in response | Community
Skip to main content
T
TB3dock
Level 8
May 5, 2021
Solved

Access-Control-Allow-Origin missing in response

  • May 5, 2021
  • 2 replies
  • 2705 views

Cors is not working.  We added a "*" based entry in the configmnager, but this does not help either.

Using postman, we see the header Access-Control-Allow-Origin  is not being set in the response from AEM. Is this normal?

 

 

Here is the postman conversation:

I would have expected to see Access-Control-Allow-Origin: * in the response?

 

I just tried sending OPTION request instead of post, and included Access-Control-Request-MethodPOST in the request,but this also does not respond with the expected cors headers.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by MarkusBullaAdobe

Hi @tb3dock!

At a first glance, your OSGI configuration looks ok and things should work as expected.

For further debugging I would refer your to the Troubleshooting section of the "Understanding CORS" documentation page. Please create a logger for the com.adobe.granite.cors package on DEBUG (or even TRACE) level and see if you can find additional insights on the matter.

 

Apart from that one general note.

 

I'm sure you are aware of this and obviously you're currently in a troubleshooting/debugging working mode, but please also refer to the following warning on the "Understanding CORS" documentation page:
"It is absolutely not recommended to use Allow-Origin: * in production since it allows every foreign (i.e. attacker) website to make requests that without CORS are strictly prohibited by browsers."

 

Hope that helps!

2 replies

Ritesh_Mittal
Community Advisor and Adobe Champion
Ritesh_MittalCommunity Advisor and Adobe Champion
Community Advisor and Adobe Champion
May 5, 2021
 

@tb3dock 

 

There is another question posted by you, if they are talking about same issue. I have tried giving response if that helps-

 

Another thread-

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/servlet-and-cors/qaq-p/406758#M89129

    T
    TB3dockAuthor
    Level 8
    May 5, 2021
    hi, thanks for the reply. The questions are quite separate, this one is for when cors is actually configured (via configmanager) it is not working as expected
    MarkusBullaAdobe
    Adobe Employee
    MarkusBullaAdobeAdobe EmployeeAccepted solution
    Adobe Employee
    May 5, 2021

    Hi @tb3dock!

    At a first glance, your OSGI configuration looks ok and things should work as expected.

    For further debugging I would refer your to the Troubleshooting section of the "Understanding CORS" documentation page. Please create a logger for the com.adobe.granite.cors package on DEBUG (or even TRACE) level and see if you can find additional insights on the matter.

     

    Apart from that one general note.

     

    I'm sure you are aware of this and obviously you're currently in a troubleshooting/debugging working mode, but please also refer to the following warning on the "Understanding CORS" documentation page:
    "It is absolutely not recommended to use Allow-Origin: * in production since it allows every foreign (i.e. attacker) website to make requests that without CORS are strictly prohibited by browsers."

     

    Hope that helps!

      T
      TB3dockAuthor
      Level 8
      May 6, 2021
      could it be something with "supported headers"? I cant find any info on what these are for, and, explicitly, what happens if the client supplies headers which are not in this list.
      Terms & ConditionsAccessibility statement

      Loading footer...