Adobe Experience Manager Sites & More

TB3dock · 5/5/21

Cors is not working. We added a "*" based entry in the configmnager, but this does not help either.

Using postman, we see the header Access-Control-Allow-Origin is not being set in the response from AEM. Is this normal?

Here is the postman conversation:

I would have expected to see Access-Control-Allow-Origin: * in the response?

I just tried sending OPTION request instead of post, and included Access-Control-Request-Method: POST in the request,but this also does not respond with the expected cors headers.

markus_bulla_adobe · 5/5/21

Hi @TB3dock!

At a first glance, your OSGI configuration looks ok and things should work as expected.

For further debugging I would refer your to the Troubleshooting section of the "Understanding CORS" documentation page. Please create a logger for the com.adobe.granite.cors package on DEBUG (or even TRACE) level and see if you can find additional insights on the matter.

Apart from that one general note.

I'm sure you are aware of this and obviously you're currently in a troubleshooting/debugging working mode, but please also refer to the following warning on the "Understanding CORS" documentation page:
"It is absolutely not recommended to use Allow-Origin: * in production since it allows every foreign (i.e. attacker) website to make requests that without CORS are strictly prohibited by browsers."

Hope that helps!

View solution in original post

Ritesh_Mittal · 5/5/21

@TB3dock

There is another question posted by you, if they are talking about same issue. I have tried giving response if that helps-

Another thread-

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/servlet-and-cors/qaq-p/406...

TB3dock · 5/5/21

hi, thanks for the reply. The questions are quite separate, this one is for when cors is actually configured (via configmanager) it is not working as expected

markus_bulla_adobe · 5/5/21

Hi @TB3dock!

At a first glance, your OSGI configuration looks ok and things should work as expected.

For further debugging I would refer your to the Troubleshooting section of the "Understanding CORS" documentation page. Please create a logger for the com.adobe.granite.cors package on DEBUG (or even TRACE) level and see if you can find additional insights on the matter.

Apart from that one general note.

I'm sure you are aware of this and obviously you're currently in a troubleshooting/debugging working mode, but please also refer to the following warning on the "Understanding CORS" documentation page:
"It is absolutely not recommended to use Allow-Origin: * in production since it allows every foreign (i.e. attacker) website to make requests that without CORS are strictly prohibited by browsers."

Hope that helps!

TB3dock · 5/6/21

could it be something with "supported headers"? I cant find any info on what these are for, and, explicitly, what happens if the client supplies headers which are not in this list.

markus_bulla_adobe · 5/6/21

You can double check on the "supported headers" if you replace them with a wildcard (*) to allow any. In addition to that you may want to deactivate result caching for debugging purposes by setting the max age property to "-1". Have you already activated debug logging and checked the log files as suggested in my initial response?