nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Oracle Communities

Oracle Analytics and AI

Child Item

OAS DV embedding - Access to font has been blocked by by CORS policy

Rav Singh

We have OAS 2024, and are able to successfully embed OAS content on the web page. We are seeing errors in the Console tab in Dev Tools and these are only for .woff and .ttf files.

Other files like .gif, .css, .js do not have issues.

We have Custom SSO using SAML SSO Docker approach and webpage is establishing SSO first before executing webpage with embedded content.

Access to font at 'https://bidev.pc.com/dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/OracleSansUI_W_Bd.woff' from origin 'https://sandbox.pc.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Access to font at 'https://bidev.pc.com/dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/ojuxIconFont_Rg.ttf' from origin 'https://sandbox.pc.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Find more posts tagged with

Embedding

Accepted answers

Rav Singh

@BrandonH @SteveF-Oracle

The issue here is that font is referenced inside a .css file.

@font-face{

font-family:Oracle Sans;

font-style:italic;

font-weight:600;

src:url(obitech-application/fonts/OracleSansUI_W_SBdIt.woff) format("woff");

}

Even though the .css file is fetched with crossorigin="use-credentials", the resources referenced within the CSS are fetched in an anonymous mode by browser.

I believe this was the reason .woff file does not get successful authentication.

To work around this, I bypassed Auth requirement for "/dv/static" path and the issue is resolved.

All comments

Michal Zima

We are "fighting" with same situation as well on our OAS environment (OAS SSO integrated with Oracle Access Manager , Apache HTTTP server in front of OAS) with DV Embedding for pretty long time. We have for almost 3 years (!!!!!) SR open with Oracle support (on this topic) so far without any resolution….. Currently CEAL team member is engaged , but he did not succeed either yet to make it working. @Mike Durran-Oracle - any comments on it ?

Steve F-2

Hi @Rav Singh

Newer versions of browsers are have moved towards more secure CORS policy. Chrome (starting from version 85) sets default Referrer-Policy as ‘strict-origin-when-cross-origin’ which dictates what to be sent in Referer request header. If the website doesn’t set the Referrer-Policy, browser default one would be picked. Please refer to for more details. For chrome browser, the default is ‘strict-origin-when-cross-origin’ starting version 85. For firefox, it is ‘no-referrer-when-downgrade’. https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default

The browsers treat it as a cross-origin request and blocks the call.
Typically, these are not blocked when using a vanity URL where the domain is the same. This appears to be your case (bidev.pc.com and sandbox.pc.com)

Do you have screenshot of Console > Safe Domains?

Do you have an HTTP Server (Apache, Oracle, Other) front-ending your OAS?

Which browsers are you testing with?

Rav Singh

@SteveF-Oracle

Yes, we have same domain. Sub-domain is different.

Yes, we have Apache front-ending OAS, Apache is mainly for SAML SSO between website and OAS.

I am testing with Chrome and Firefox and both are having issues.

BrandonH

The CORS block you are showing appears to say it's not a BI side issue but an issue with sandbox.pc.com blocking bi:

from origin 'https://sandbox.pc.com' has been blocked by CORS policy

if the origin is sandbox.pc.com when the request leaves sandbox.pc.com you have to inject a:

Access-Control-Allow-Origin xxxx.xxx.com

When the request leaves sandbox.com

What is sandbox.com and share with us the details of the request headers for the specific request that's being blocked.

Rav Singh

@SteveF-Oracle When I directly embed the OAS URL I do not see the CORS issues. But when the URL is Apache (routing to OAS), the CORS issue for font is coming.

I have tried adding Access-Control-Allow-Origin header in httpd.conf, ssl.conf.. but no luck.

Rav Singh

@BrandonH The request headers for blocked request:

GET /dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/OracleSansUI_W_Bd.woff HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Host: bidev.pc.com
Origin: https://sandbox.pc.com
Referer: https://bidev.pc.com/dv/static/application/1.0.0.39f2e3555343/application.css
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

Steve F-2

@Rav Singh

Can you change your Safe Domains page from:

https://sandbox.pc.com

to

*.pc.com

Re-test.

If still an issue, via the Apache HTTP Server, then you potentially may need a solution in the HTTP Server .htaccess file

FilesMatch "\.(svg|ttf|otf|eot|woff)$">
    <IfModule mod_headers.c>
        Header set Access-Control-Allow-Origin "*"
    </IfModule>
</FilesMatch>

Note: The '*' allows every to access the files in the file match, you can limit it, see your HTTP Server documentation.

You can test access to the .woff file via the HTTP Server using curl command

Other comments, welcomed.

BrandonH

Can you confirm the following assumptions:

sandbox.pc.com:

Some website that you are embedding OAS content into

bidev.pc.com:

Apache webserver that's infront of OAS / DV?

What is the domain/url of the direct route to oas/dv? and that direct route (nonapache) I'm assuming is non https? eg

10.25.15.33:7502
hostname.pc.com:7502

On sandbox.pc.com when you embed non-https content, I think you have to give it a pretty big security exemption. If non-https content is embedded CORS is irrelevant, my understanding is it only applies to https communication.

BrandonH

Overall, I'm not 100% sure which side to look at this from, sandbox.pc.com or bidev.pc.com

What we know is the following from the blocked request he sent above:

The GET Request is to devbi.pc.com:

GET /dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/OracleSansUI_W_Bd.woff HTTP/1.1

The origin of the request is:

Origin: https://sandbox.pc.com

Since the origin of the request is not BI / DV, then whatever headers get set by the BI/ DV application via the safe domains and .htaccess would not apply to this outgoing request?

I read this as the request from sandbox.pc.com going out to bidev.pc.com is being blocked. So is it blocked on the bidev.pc.com side or the sandbox.pc.com side? If I understand CORS, its neither, the browser is blocking it, and the only way in this scenario to avoid it would be for sandbox.pc.com to send out headers saying allow origin devbi.pc.com

Rav Singh

@BrandonH

Yes, that is right.

sandbox.pc.com: — Some website that you are embedding OAS content into

bidev.pc.com: — Apache webserver that's infront of OAS / DV

Apache to OAS is https.

Below is in workers.conf

ProxyPreserveHost On
<Proxy "balancer://workers">
BalancerMember "https://devbi1-vip.pc.com:9404"
ProxySet lbmethod=bytraffic
</Proxy>