It's all about the answers!

Ask a question

Please Help Resolve :- Cross-Origin Request Blocked: The Same Origin Policy disallows reading....(Reason: CORS header ‘Access-Control-Allow-Origin’ missing)

Alick Banda (43116) | asked Nov 28 '16, 8:10 a.m.
Good day,

I am hoping someone has an idea on how to resolve this issue.

We are currently developing a web application that will/should interact with the Change and Configuration Management tool (ccm). Currently, we are trying to implement authentication (using javascript and REST calls) into the jazz application, but when we try to invoke the function, we get the error: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://<server name>/jts/authenticated/identity/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Our Jazz environment (6.0) is a distributed one, with IHS routing requests, and various Jazz applications deployed on WebSphere Application Server (8.5.5.x).

I am not exactly sure what I need to do in order to resolve this problem? I have read through: , as well as , but I still do not get any happiness.

Please help, or rather point me in the right direction.

Best Regards,

One answer

permanent link
Warren Arcen (11) | answered Jul 26, 12:59 a.m.

 The Same Origin Policy (SOP) is the policy browsers implement to prevent vulnerabilities via Cross Site Scripting (XSS). In other words, the browser would not allow any site to make a request to any other site. It would prevent different origins from interacting with each other through such requests, like AJAX. This policy exists because it is too easy to inject a link to a javascript file  that is on a different domain. This is a security risk - you really only want code that comes from the site you are on to execute and not just any code that is out there.

The Cross Origin Resource Sharing (CORS) is one of the few techniques for relaxing the SOP. Because SOP is "on" by default, setting CORS at the server-side will allow a request to be sent to the server via an XMLHttpRequest even if the request was sent from a different domain. This becomes useful if your server was intended to serve requests from other domains (e.g. if you are providing an API).

JSON with Padding is just a way to circumvent same-origin policy, when CORS is not an option. This is risky and a bad practice. Avoid using this.

If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999

Your answer

Register or to post your answer.