Setting HTTP headers for CORS policy

  • 26 June 2023
  • 8 replies

Hi all - I’m new to CDF.

I’d like to call CDF from JavaScript running in a browser using a bearer token as authentication.

This request works fine when made from a tool such as Postman, but when the same call is made from JavaScript running in a browser using the same URL and bearer token, the browser’s CORS policy blocks the request because CDF has not responded to the preflight OPTIONS request with the HTTP header Access-Control-Allow-Credentials: true

Apart from this, CDF is correctly sending out all the other HTTP headers needed to satisfy the browser’s CORS policy such as






Where do I configure CDF to respond with this additional HTTP header?



Best answer by Freyja Østrem 29 June 2023, 14:07

View original

8 replies

CORS settings are not configurable in CDF, to the best of my knowledge.


There must be some configuration done somewhere because the other HTTP header Access-Control-Allow-Origin has been correctly configured to a company-specific server name.

This is not a value CDF would come shipped with

I believe `Access-Control-Allow-Origin` is configured with `*` for the CDF API.
What is the specific endpoint you are making a request against? Are you utilizing the published Javascript SDK?

I’m making an XHR request to from within the SAP client-side framework called SAPUI5.

BTW, this JavaScript framework is not based on React

When I call this API from Postman and supply a bearer token, everything works fine because Postman does not implement a CORS policy.  But when the call is performed from within the browser, all but one of the required CORS response headers are supplied.  The missing header is Access-Control-Allow-Credentials

Does anyone have an idea here?

 CDF has already been configured to return an internal AkerBP hostname in the header field Access-Control-Allow-Origin 

The only header field missing is Access-Control-Allow-Credentials, so my reasoning is that if one header field has been configured correctly, then it must be possible to configure the one remaining field

This is turning into a showstopper...

There is no configuration of allow-origins in the CDF API.

So how does CDF indicate to a CORS-enabled client that it will accept authenticated incoming requests?

The browser’s CORS policy will not send user credentials as parr of the request unless the server responds to the CORS preflight OPTIONS request with Access-Control-Allow-Credentials: true

Does the CORS request set the request option to include browser credentials ({ credentials: "include" } for Fetch API, or request.withCredentials = true for XMLHttpRequest)? Browsers should only block CORS requests when Access-Control-Allow-Credentials: true is not present if that request option is set, which it is not by default.

For security reasons, the CDF API does not use any form of browser credentials (such as cookies) for authentication, which is why we do not set that CORS header in the OPTIONS response. Because of this, the CORS request options should either have the browser credentials request option set to omit credentials, or have it be unset (using the default value).

Authentication is only done with a bearer token in the Authorization header set in the request, which does not require Access-Control-Allow-Credentials: true and only requires Access-Control-Allow-Headers to include the Authorization header, which it as far as I can tell does.