CORS preflight with webspeed on 10.2b

Posted by AdrianJones on 14-Sep-2018 07:55

Hi All,

i'm trying to develop a webspeed api in 10.2b that receives and returns json via a POST. this is to be called from some other web page (an angular app - eventually) and so chrome is using cors for the cross site verification. I'm struggling to get this to work and wondered if anyone has done this before and has any tips etc.

for my normal data response i'm sending...

output-http-header("Access-Control-Allow-Origin", "*"). 

output-http-header("Access-Control-Allow-Methods", "GET, POST, OPTIONS, HEAD").


/* populate dsResponse somehow */

 DATASET dsResponse:WRITE-JSON("stream":U, "webstream":U).

this seems to work OK.

when the preflight is required i tried checking the request and short circuiting the response...

IF request_method = "OPTIONS" THEN

output-http-header("Access-Control-Allow-Origin", "*"). 
output-http-header("Access-Control-Allow-Methods", "GET, POST, OPTIONS, HEAD").



This doesn't seem to be working. I;m getting bad gate-way error and No 'Access-Control-Allow-Origin' header is present on the requested resource.

Am i barking up the wrong tree here? Is it possible to handle CORS in this manner.

I've also googled and discovered possible IIS config option or using a cors proxy. Anyone any experience with these?


All Replies

Posted by Matt Baker on 14-Sep-2018 08:02

Webspeed messenger only works with GET and POST.  Maybe someone can correct me, but I don’t think PUT, OPTIONS, or HEAD work.  The messenger doesn’t pass them through.
You have to switch to PASOE to have the other verbs work.

Posted by oedev on 14-Sep-2018 08:29

We're on 10.2b and managed to work around this in a couple of different ways (in dev anyway)

1 - If you are using Angular and have a live server running (by default on locahost:4200), configure a proxy as per the examples here:

2 - if your API (i.e. the webpseed bit) is fronted by an Apache web-server, you can set the headers in the httpd.conf as follows (this still requires the changes that you've made to set the access control headers;

Listen 80

<VirtualHost *:80>

   DocumentRoot "${SRVROOT}"


   # Other directives here

   Header set Access-Control-Allow-Origin "http://localhost:4200"

   Header set Access-Control-Allow-Credentials "true"

   Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"


Posted by AdrianJones on 14-Sep-2018 08:39

You're correct that it says that classic only supports GET/POST, but if I put debug messages in my "IF request_method = "OPTIONS" THEN ..." block it IS executing. Strange.

Posted by AdrianJones on 18-Sep-2018 10:35

managed to get this working with IIS cors plugin and modifying web.config...

<?xml version="1.0" encoding="utf-8"?>



   <cors enabled="true">

       <add origin="">

       <allowHeaders allowAllRequestedHeaders="true" />


           <add method="GET" />

           <add method="HEAD" />

           <add method="POST" />






This thread is closed