Posted: 15 Apr 2016 9:22 EDT Last activity: 4 Oct 2018 13:54 EDT
CORS- Pre-Flight Requests Failing
We are trying to access REST service exposed from pega application from another web application.
We configured HTTP header as below for CORS.
However, requests are failing with below errors:
XMLHttpRequest cannot load http://myPegaApp.com/Service. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myAnotherApp.com' is therefore not allowed access.
Do we have to configure OPTIONS method to pass preflight request? Are there any other configurations to be done to pass preflight requests?
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which served itself. For example, an HTML page served from http://domain-a.com makes an <img> src request for http://domain-b.com/image.jpg. Many pages on the web today load resources such as CSS stylesheets, images and scripts from separatedomains.
CORS gives web servers cross-domain access controls, which enable secure cross-domain data transfers. Modern browsers use CORS in an API container,such as XMLHttpRequest- to mitigate risks of cross-origin HTTP requests.
Note that the CORS communication and access must happen using http:// across the domains and since user tried invoking REST service using CORS using file:// (local file) and got this error.
Therefore, Pega recommends user to try this invocation from a page, which is hosted on a domain server instead of a local file path.
You don't need to specifically configure OPTIONS method. The browser sends a preflight request automatically to target server from the client before making the actual request as per CORS. Server sends back preflight response with the supported methods, allowed-origins, headers like below.