Expand my Community achievements bar.

SOLVED

Access-Control-Allow-Origin missing in response

Avatar

Level 9

Cors is not working.  We added a "*" based entry in the configmnager, but this does not help either.

Using postman, we see the header Access-Control-Allow-Origin  is not being set in the response from AEM. Is this normal?

 

TB3dock_0-1620211953038.png

 

Here is the postman conversation:

TB3dock_1-1620210081701.png

I would have expected to see Access-Control-Allow-Origin: * in the response?

 

I just tried sending OPTION request instead of post, and included Access-Control-Request-MethodPOST in the request,but this also does not respond with the expected cors headers.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi @TB3dock!

At a first glance, your OSGI configuration looks ok and things should work as expected.

For further debugging I would refer your to the Troubleshooting section of the "Understanding CORS" documentation page. Please create a logger for the com.adobe.granite.cors package on DEBUG (or even TRACE) level and see if you can find additional insights on the matter.

 

Apart from that one general note.

 

I'm sure you are aware of this and obviously you're currently in a troubleshooting/debugging working mode, but please also refer to the following warning on the "Understanding CORS" documentation page:
"It is absolutely not recommended to use Allow-Origin: * in production since it allows every foreign (i.e. attacker) website to make requests that without CORS are strictly prohibited by browsers."

 

Hope that helps!

View solution in original post

6 Replies

Avatar

Community Advisor
 

@TB3dock 

 

There is another question posted by you, if they are talking about same issue. I have tried giving response if that helps-

 

Another thread-

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/servlet-and-cors/qaq-p/406...

Avatar

Level 9
hi, thanks for the reply. The questions are quite separate, this one is for when cors is actually configured (via configmanager) it is not working as expected

Avatar

Correct answer by
Employee Advisor

Hi @TB3dock!

At a first glance, your OSGI configuration looks ok and things should work as expected.

For further debugging I would refer your to the Troubleshooting section of the "Understanding CORS" documentation page. Please create a logger for the com.adobe.granite.cors package on DEBUG (or even TRACE) level and see if you can find additional insights on the matter.

 

Apart from that one general note.

 

I'm sure you are aware of this and obviously you're currently in a troubleshooting/debugging working mode, but please also refer to the following warning on the "Understanding CORS" documentation page:
"It is absolutely not recommended to use Allow-Origin: * in production since it allows every foreign (i.e. attacker) website to make requests that without CORS are strictly prohibited by browsers."

 

Hope that helps!

Avatar

Level 9
could it be something with "supported headers"? I cant find any info on what these are for, and, explicitly, what happens if the client supplies headers which are not in this list.

Avatar

Employee Advisor
You can double check on the "supported headers" if you replace them with a wildcard (*) to allow any. In addition to that you may want to deactivate result caching for debugging purposes by setting the max age property to "-1". Have you already activated debug logging and checked the log files as suggested in my initial response?

Avatar

Level 9
supported headers was the issue, thanks. * fixed it. Its only for author.dev, not prod.