asked on June 18, 2021
Support,
We have Flexmonster Accelerator from the v2.8.3 download running on our SSAS server with IIS installed. The server has the Microsoft CORS module installed.
The Flexmonster Accelerator Manager logs show a successful connection made from our Angular 6 web client with data returned.
But CHROME is blocking the request:
Access to XMLHttpRequest at 'http://[our_ssas_server]:50005/FlexmonsterProxy/Handshaking' from origin 'http://localhost:400' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
How do we configure the Accelerator running as a service on the SSAS server with the info needed by CORS?
Below is an example web.config file below:
Thank you,
Michael Jiambalvo
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings />
<system.web>
<authentication mode="Windows" />
<webServices>
<protocols>
<add name="HttpGet" />
<add name="HttpPost" />
</protocols>
</webServices>
</system.web>
<system.webServer>
<cors enabled="true" failUnlistedOrigins="true">
<add origin="*" />
<add origin="localhost:400" allowCredentials="true" maxAge="120">
<allowHeaders allowAllRequestedHeaders="true">
<add header="Origin" />
<add header="Content-Type" />
<add header="Accept" />
<add header="Authorization" />
</allowHeaders>
<allowMethods>
<add method="OPTIONS" />
<add method="TRACE" />
<add method="GET" />
<add method="HEAD" />
<add method="POST" />
</allowMethods>
</add>
<add origin=http://* allowed="false" />
</cors>
<httpProtocol>
<customHeaders>
<add name="Age" value="0" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
⋅ June 22, 2021
Hello, Michael,
Thank you for contacting us.
The issue you are facing is caused by the CORS policy. It implies that credentials cannot be included in the request if the CORS header Access-Control-Allow-Origin is set to *. Please specify the exact set of allowed origins to use credentials in your application. Learn more from MDN Web Docs: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’.
Also, please make sure all the OPTIONS requests will be answered despite their credentials. It means all the OPTIONS requests made from predefined origins should receive a response from the server. It allows notifying the client-side about the CORS configuration defined on the backend.
Further requests (POST, GET, etc.) should be authorized as usual.
Finally, please update Flexmosnter Accelerator to the latest version. Later versions of the Accelerator introduce features and optimizations that may be useful for your case.
Please let us know if it helps.
Looking forward to hearing from you.
Best regards,
Illia
