Preflight CORS error when trying to embed DV content to another site
Summary: Getting a Preflight CORS error when trying to embed DV content to another site
SR 3-28568263651
Content (required): Error message from Chrome Dev tools:
Error:
Access to XMLHttpRequest at 'https://vzinsights.verizon.com/dv/ui/api/v2/items/%40Catalog/shared/PMRA/Published%20DV/Assurance/Global%20Service%20Assurance%20RCA?&projectType=auto&{}' from origin 'https://globalops-stage.verizon.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
Origin site has been added to Safe Domains in OAS. HTTP Headers have been updated. Any suggestions/tips on what else to do to get rid of this CORS error?
Version (include the version you are using, if applicable): OAS 5.9
Code Snippet (add any code snippets that support your topic, if applicable):
Answers
-
On the web application where you are attempting to embed this visualization, have you enabled non-origin sources?
Typically, you'd have to enable embedding and set your Referrer Policy to allow sources outside of the web application.
0 -
Angel, I'll contact you directly so we can pickup the troubleshooting perhaps looking at a different aspect.
Mike
0 -
@Mike Durran-Oracle Hi Mike, we are trying to setup DV embedding for our OAS 5.9 environment as well (our OAS 5.9 environment is integrated with Oracle Access Manager for SSO setup) and we are fighting exactly with the same problem as Angel (safe domains are defined correctly in OAS). Could you, pls, help ?
0 -
Michal - could you contact me direct on email please to discuss - do you also have an SR logged?
Thanks
Mike
0 -
@Mike Durran-Oracle Yes, I will drop you an email.
No SR has been logged (I am skeptical that anybody could help me with this from ORA support - especially when the setup/issue "spans" 2 Oracle product - OAS and OAM - my own personal experience....)
Thanks
Michal
0 -
Thank you, @Mike Durran-Oracle for reaching out and providing assistance. DV Embedding now works successfully -- CORS errors are now gone by resolving issues in SSO and OAS/Apache server.
0 -
I am running in to the same issue with our SSO implementation.. Could you please share how you fixed it?
0 -
Solution when OAS is configured SSO using SiteMinder:
1. in SSO siteminder
a. Removed OPTIONS from the protected realm
b. set autoauthorizeoptions=Yes
2. in APACHE conf
Added below headers value in Virtual host 443
Header set Access-Control-Max-Age "300"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, x-csrf-token"
Header set Access-Control-Allow-Methods "POST, GET, PUT, DELETE, PATCH, OPTIONS"
1 -
If the OAS SSO is configured using Custom SSO (Hybrid Model) using SAML SSO Docker approach, the config in Apache HTTP Server for analytics.conf should be as below to exclude OPTIONS for dv.
<Location /dv>
SetHandler weblogic-handler
WeblogicHost <oac-bi-weblogic-hostname>
WebLogicPort 9704
WLIOTimeoutSecs 6000
WLSocketTimeoutSecs 600
<LimitExcept OPTIONS>
AuthType shibboleth
ShibRequestSetting requireSession true
Require valid-user
#ShibCompactWith24 On
ShibUseEnvironment Off
ShibUseHeaders On
</LimitExcept>
</Location>
<Location /dv/ui>
SetHandler weblogic-handler
WeblogicHost <oac-bi-weblogic-hostname>
WebLogicPort 9704
WLIOTimeoutSecs 6000
WLSocketTimeoutSecs 600
<LimitExcept OPTIONS>
AuthType shibboleth
ShibRequestSetting requireSession true
Require valid-user
#ShibCompactWith24 On
ShibUseEnvironment Off
ShibUseHeaders On
</LimitExcept>
</Location>
In short, the Solution is to exclude OPTIONS of /dv and /dv/ui protected resources from SSO Authentication
And have the below headers in Apache also needed to fulfill a successful embedding.
Header set Access-Control-Max-Age "300"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, x-csrf-token"
Header set Access-Control-Allow-Methods "POST, GET, PUT, DELETE, PATCH, OPTIONS"
0 -
If the SSO is through OAM, ensure that you exclude OPTIONS in OAM Configuration.
0 -
This was immensely helpful.. thank you.. This should get put into a note for metalink.. thanks again!
1