Oracle Analytics Cloud and Server

Preflight CORS error when trying to embed DV content to another site

Received Response
450
Views
11
Comments

Summary: Getting a Preflight CORS error when trying to embed DV content to another site

SR 3-28568263651

Content (required): Error message from Chrome Dev tools:

Error:

Access to XMLHttpRequest at 'https://vzinsights.verizon.com/dv/ui/api/v2/items/%40Catalog/shared/PMRA/Published%20DV/Assurance/Global%20Service%20Assurance%20RCA?&projectType=auto&{}' from origin 'https://globalops-stage.verizon.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

Origin site has been added to Safe Domains in OAS. HTTP Headers have been updated. Any suggestions/tips on what else to do to get rid of this CORS error?

Version (include the version you are using, if applicable): OAS 5.9


Code Snippet (add any code snippets that support your topic, if applicable):


Answers

  • On the web application where you are attempting to embed this visualization, have you enabled non-origin sources?

    Typically, you'd have to enable embedding and set your Referrer Policy to allow sources outside of the web application.

  • Angel, I'll contact you directly so we can pickup the troubleshooting perhaps looking at a different aspect.

    Mike

  • Michal Zima
    Michal Zima ✭✭✭✭✭

    @Mike Durran-Oracle Hi Mike, we are trying to setup DV embedding for our OAS 5.9 environment as well (our OAS 5.9 environment is integrated with Oracle Access Manager for SSO setup) and we are fighting exactly with the same problem as Angel (safe domains are defined correctly in OAS). Could you, pls, help ?

  • Michal - could you contact me direct on email please to discuss - do you also have an SR logged?

    Thanks

    Mike

  • Michal Zima
    Michal Zima ✭✭✭✭✭

    @Mike Durran-Oracle Yes, I will drop you an email.

    No SR has been logged (I am skeptical that anybody could help me with this from ORA support - especially when the setup/issue "spans" 2 Oracle product - OAS and OAM - my own personal experience....)

    Thanks

    Michal

  • Angel Shipp
    Angel Shipp ✭✭✭✭✭

    Thank you, @Mike Durran-Oracle for reaching out and providing assistance. DV Embedding now works successfully -- CORS errors are now gone by resolving issues in SSO and OAS/Apache server.

  • user1717232
    user1717232 ✭✭✭

    I am running in to the same issue with our SSO implementation.. Could you please share how you fixed it?

  • Solution when OAS is configured SSO using SiteMinder:

    1. in SSO siteminder

      a. Removed OPTIONS from the protected realm 

      b. set autoauthorizeoptions=Yes

    2. in APACHE conf

    Added below headers value in Virtual host 443

    Header set Access-Control-Max-Age "300"

    Header set Access-Control-Allow-Credentials "true"

    Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, x-csrf-token"

    Header set Access-Control-Allow-Methods "POST, GET, PUT, DELETE, PATCH, OPTIONS"

     

  • If the OAS SSO is configured using Custom SSO (Hybrid Model) using SAML SSO Docker approach, the config in Apache HTTP Server for analytics.conf should be as below to exclude OPTIONS for dv.

     <Location /dv>

       SetHandler weblogic-handler

       WeblogicHost <oac-bi-weblogic-hostname>

       WebLogicPort 9704

       WLIOTimeoutSecs 6000

       WLSocketTimeoutSecs 600

       <LimitExcept OPTIONS>

        AuthType shibboleth

        ShibRequestSetting requireSession true

        Require valid-user

        #ShibCompactWith24 On

        ShibUseEnvironment Off

        ShibUseHeaders On

       </LimitExcept>

     </Location>


     <Location /dv/ui>

       SetHandler weblogic-handler

       WeblogicHost <oac-bi-weblogic-hostname>

       WebLogicPort 9704

       WLIOTimeoutSecs 6000

       WLSocketTimeoutSecs 600

       <LimitExcept OPTIONS>

        AuthType shibboleth

        ShibRequestSetting requireSession true

        Require valid-user

        #ShibCompactWith24 On

        ShibUseEnvironment Off

        ShibUseHeaders On

       </LimitExcept>

     </Location>


    In short, the Solution is to exclude OPTIONS of /dv and /dv/ui protected resources from SSO Authentication

    And have the below headers in Apache also needed to fulfill a successful embedding.


    Header set Access-Control-Max-Age "300"

    Header set Access-Control-Allow-Credentials "true"

    Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, x-csrf-token"

    Header set Access-Control-Allow-Methods "POST, GET, PUT, DELETE, PATCH, OPTIONS"

  • If the SSO is through OAM, ensure that you exclude OPTIONS in OAM Configuration.

  • user1717232
    user1717232 ✭✭✭

    This was immensely helpful.. thank you.. This should get put into a note for metalink.. thanks again!