Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Access-Control-Allow-Origin missing in response

TB3dock
Level 7
Level 7

Cors is not working.  We added a "*" based entry in the configmnager, but this does not help either.

Using postman, we see the header Access-Control-Allow-Origin  is not being set in the response from AEM. Is this normal?

 

TB3dock_0-1620211953038.png

 

Here is the postman conversation:

TB3dock_1-1620210081701.png

I would have expected to see Access-Control-Allow-Origin: * in the response?

 

I just tried sending OPTION request instead of post, and included Access-Control-Request-MethodPOST in the request,but this also does not respond with the expected cors headers.

1 Accepted Solution
markus_bulla_adobe
Correct answer by
Employee
Employee

Hi @TB3dock!

At a first glance, your OSGI configuration looks ok and things should work as expected.

For further debugging I would refer your to the Troubleshooting section of the "Understanding CORS" documentation page. Please create a logger for the com.adobe.granite.cors package on DEBUG (or even TRACE) level and see if you can find additional insights on the matter.

 

Apart from that one general note.

 

I'm sure you are aware of this and obviously you're currently in a troubleshooting/debugging working mode, but please also refer to the following warning on the "Understanding CORS" documentation page:
"It is absolutely not recommended to use Allow-Origin: * in production since it allows every foreign (i.e. attacker) website to make requests that without CORS are strictly prohibited by browsers."

 

Hope that helps!

View solution in original post

6 Replies
Ritesh_M
Community Advisor
Community Advisor
 

@TB3dock 

 

There is another question posted by you, if they are talking about same issue. I have tried giving response if that helps-

 

Another thread-

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/servlet-and-cors/qaq-p/406...

TB3dock
Level 7
Level 7
hi, thanks for the reply. The questions are quite separate, this one is for when cors is actually configured (via configmanager) it is not working as expected
markus_bulla_adobe
Correct answer by
Employee
Employee

Hi @TB3dock!

At a first glance, your OSGI configuration looks ok and things should work as expected.

For further debugging I would refer your to the Troubleshooting section of the "Understanding CORS" documentation page. Please create a logger for the com.adobe.granite.cors package on DEBUG (or even TRACE) level and see if you can find additional insights on the matter.

 

Apart from that one general note.

 

I'm sure you are aware of this and obviously you're currently in a troubleshooting/debugging working mode, but please also refer to the following warning on the "Understanding CORS" documentation page:
"It is absolutely not recommended to use Allow-Origin: * in production since it allows every foreign (i.e. attacker) website to make requests that without CORS are strictly prohibited by browsers."

 

Hope that helps!

View solution in original post

TB3dock
Level 7
Level 7
could it be something with "supported headers"? I cant find any info on what these are for, and, explicitly, what happens if the client supplies headers which are not in this list.
markus_bulla_adobe
Employee
Employee
You can double check on the "supported headers" if you replace them with a wildcard (*) to allow any. In addition to that you may want to deactivate result caching for debugging purposes by setting the max age property to "-1". Have you already activated debug logging and checked the log files as suggested in my initial response?
TB3dock
Level 7
Level 7
supported headers was the issue, thanks. * fixed it. Its only for author.dev, not prod.