Expand my Community achievements bar.

JS Asset Picker: No 'Access-Control-Allow-Origin' header is present on the requested resource

Avatar

Level 1
Level 1
9/21/20 6:52:26 AM

I'm using the asset picker documented here:  https://helpx.adobe.com/experience-manager/6-2/assets/using/asset-picker.html

 

I keep getting the following error and wondering what I'm doing wrong?

 

Access to XMLHttpRequest at 'https:/blah/content/dam/example.jpg' from origin 'https://local.test.blah.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Do I need to change my header or something?  I'm using an XHR javascript request.

Views

806

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
3 Replies

Avatar

Employee
Employee
9/21/20 8:36:34 AM

Check if https://local.test.blah.com is added in allowed origins of Adobe Granite Cross-Origin Resource Sharing Policy ( com.adobe.granite.cors.impl.CORSPolicyImpl ) configuration.

 

Also check the following:

 

  • Manually recreate XHR requests using curl, but make sure to copy all headers and details, as each one can make a difference; some browser consoles allow to copy the curl command
  • Verify if request was denied by the CORS handler and not by the authentication, CSRF token filter, dispatcher filters, or other security layers
    • If CORS handler responds with 200, but Access-Control-Allow-Origin header is absent on the response, review the logs for denials under DEBUG in com.adobe.granite.cors
  • If dispatcher caching of CORS requests is enabled
    • Ensure the /headers configuration is applied to dispatcher.any and the web server is successfully restarted
    • Ensure the cache was properly cleared after any OSGi or dispatcher.any configuration changes.
  • if required, check presence of authentication credentials on the request.

Views

775

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
9/21/20 9:49:18 AM
In response to vanegi
I'm actually seeing something interesting now. It appears as though I'm getting a 302 back and a location url to a login page even though I'm already authenticated in the browser. If I visit the asset url directly it downloads without issue...

Views

766

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
9/22/20 6:18:27 AM

It seems the entire difference between a working request and a broken one is the cookie being passed up.

 

The working one includes ApplicationGatewayAffinityCORSApplicationGatewayAffinitylogin-token and cq-authoring-mode.

 

The broken one only has ApplicationGatewayAffinityCORS.

 

So I guess my question is: How do I get the login-token (and other fields) from AEM? Can I force xhr to somehow use the default browser values for this?

Views

711

Replies

0
Sign in to like this content

Total Likes

Translate
Translate