Does the CORS request set the request option to include browser credentials ({ credentials: "include" }
for Fetch API, or request.withCredentials = true
for XMLHttpRequest)? Browsers should only block CORS requests when Access-Control-Allow-Credentials: true
is not present if that request option is set, which it is not by default.
For security reasons, the CDF API does not use any form of browser credentials (such as cookies) for authentication, which is why we do not set that CORS header in the OPTIONS response. Because of this, the CORS request options should either have the browser credentials request option set to omit credentials, or have it be unset (using the default value).
Authentication is only done with a bearer token in the Authorization
header set in the request, which does not require Access-Control-Allow-Credentials: true
and only requires Access-Control-Allow-Headers
to include the Authorization
header, which it as far as I can tell does.
So how does CDF indicate to a CORS-enabled client that it will accept authenticated incoming requests?
The browser’s CORS policy will not send user credentials as parr of the request unless the server responds to the CORS preflight OPTIONS request with Access-Control-Allow-Credentials: true
There is no configuration of allow-origins in the CDF API.
Does anyone have an idea here?
CDF has already been configured to return an internal AkerBP hostname in the header field Access-Control-Allow-Origin
The only header field missing is Access-Control-Allow-Credentials
, so my reasoning is that if one header field has been configured correctly, then it must be possible to configure the one remaining field
This is turning into a showstopper...
I’m making an XHR request to https://api.cognitedata.com/api/v1/projects/akerbp/timeseries/search from within the SAP client-side framework called SAPUI5.
BTW, this JavaScript framework is not based on React
When I call this API from Postman and supply a bearer token, everything works fine because Postman does not implement a CORS policy. But when the call is performed from within the browser, all but one of the required CORS response headers are supplied. The missing header is Access-Control-Allow-Credentials
I believe `Access-Control-Allow-Origin` is configured with `*` for the CDF API.
What is the specific endpoint you are making a request against? Are you utilizing the published Javascript SDK?
Hmmm…
There must be some configuration done somewhere because the other HTTP header Access-Control-Allow-Origin
has been correctly configured to a company-specific server name.
This is not a value CDF would come shipped with
CORS settings are not configurable in CDF, to the best of my knowledge.