How do I configure Cross-Origin Requests?

I have a Javascript client (https://chronicleweb.gochronicle.net). I keep getting Cross-Origin Request Blocked:

The Same Origin Policy disallows reading the remote resource at https://j808983.gochronicle.net:8097/bin?1572372846813. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://j808983.gochronicle.net:8097/bin?1572372846813. (Reason: CORS request did not succeed).

I have CORS on the server set to:

channel.SendCrossOriginHeader = true;

I have had all of this working over http://. locally to the server. This all started when I attempted to use SSL.

What do I need to do to get this to work?

Thanks,
Todd

Server Channel exposes an event named OnCustomCrossOrigin that allows to setup the CORS response.

However please double-check that your server has CORS enabled. I do not see the CORS response when I try to ping the server mentioned in the error message

Sorry, I should have checked that. You put me on the right track. The SSL channel was not being set correctly it is now. It works!

channel.SendCrossOriginHeader = true;

It helps if you set the correct channel…:blush:

Is there a way to limit exposure on the RODA server like this?

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: http://example.com:8080

Unfortunately definition of this HTTP header does not allow

  • Returning multiple domains like http://example1.com,http:/example2.com . Only single domain or * are allowed
  • Using wildcards like http://*.example1.com
  • Omitting protocol like example.com
  • Omitting non-default ports like returning http://example.com for API running at http://example.com:8099

EDIT: But ‘definition’ here I mean that these limitations are not specific to Remoting SDK. It is how this header is defined by W3: https://www.w3.org/TR/cors/#access-control-allow-origin-response-header