JS Asset Picker: No 'Access-Control-Allow-Origin' header is present on the requested resource

trumb1mj

21-09-2020

I'm using the asset picker documented here:  https://helpx.adobe.com/experience-manager/6-2/assets/using/asset-picker.html

 

I keep getting the following error and wondering what I'm doing wrong?

 

Access to XMLHttpRequest at 'https:/blah/content/dam/example.jpg' from origin 'https://local.test.blah.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Do I need to change my header or something?  I'm using an XHR javascript request.

Accepted Solutions (0)

Answers (2)

Answers (2)

trumb1mj

22-09-2020

It seems the entire difference between a working request and a broken one is the cookie being passed up.

 

The working one includes ApplicationGatewayAffinityCORSApplicationGatewayAffinitylogin-token and cq-authoring-mode.

 

The broken one only has ApplicationGatewayAffinityCORS.

 

So I guess my question is: How do I get the login-token (and other fields) from AEM? Can I force xhr to somehow use the default browser values for this?

vanegi

Employee

21-09-2020

Check if https://local.test.blah.com is added in allowed origins of Adobe Granite Cross-Origin Resource Sharing Policy ( com.adobe.granite.cors.impl.CORSPolicyImpl ) configuration.

 

Also check the following:

 

  • Manually recreate XHR requests using curl, but make sure to copy all headers and details, as each one can make a difference; some browser consoles allow to copy the curl command
  • Verify if request was denied by the CORS handler and not by the authentication, CSRF token filter, dispatcher filters, or other security layers
    • If CORS handler responds with 200, but Access-Control-Allow-Origin header is absent on the response, review the logs for denials under DEBUG in com.adobe.granite.cors
  • If dispatcher caching of CORS requests is enabled
    • Ensure the /headers configuration is applied to dispatcher.any and the web server is successfully restarted
    • Ensure the cache was properly cleared after any OSGi or dispatcher.any configuration changes.
  • if required, check presence of authentication credentials on the request.