Categories
- All Categories
- 147 Oracle Analytics News
- 27 Oracle Analytics Videos
- 14.7K Oracle Analytics Forums
- 5.7K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 54 Oracle Analytics Trainings
- 12 Oracle Analytics Data Visualizations Challenge
- 4 Oracle Analytics Career
- 2 Oracle Analytics Industry
- Find Partners
- For Partners
OAS DV embedding - Access to font has been blocked by by CORS policy
We have OAS 2024, and are able to successfully embed OAS content on the web page. We are seeing errors in the Console tab in Dev Tools and these are only for .woff and .ttf files.
Other files like .gif, .css, .js do not have issues.
We have Custom SSO using SAML SSO Docker approach and webpage is establishing SSO first before executing webpage with embedded content.
Access to font at 'https://bidev.pc.com/dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/OracleSansUI_W_Bd.woff' from origin 'https://sandbox.pc.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Access to font at 'https://bidev.pc.com/dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/ojuxIconFont_Rg.ttf' from origin 'https://sandbox.pc.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Best Answer
-
The issue here is that font is referenced inside a .css file.
@font-face{
font-family:Oracle Sans;
font-style:italic;
font-weight:600;
src:url(obitech-application/fonts/OracleSansUI_W_SBdIt.woff) format("woff");
}
Even though the .css file is fetched with crossorigin="use-credentials", the resources referenced within the CSS are fetched in an anonymous mode by browser.
I believe this was the reason .woff file does not get successful authentication.
To work around this, I bypassed Auth requirement for "/dv/static" path and the issue is resolved.
0
Answers
-
We are "fighting" with same situation as well on our OAS environment (OAS SSO integrated with Oracle Access Manager , Apache HTTTP server in front of OAS) with DV Embedding for pretty long time. We have for almost 3 years (!!!!!) SR open with Oracle support (on this topic) so far without any resolution….. Currently CEAL team member is engaged , but he did not succeed either yet to make it working. @Mike Durran-Oracle - any comments on it ?
2 -
Hi @Rav Singh
Newer versions of browsers are have moved towards more secure CORS policy. Chrome (starting from version 85) sets default Referrer-Policy as ‘strict-origin-when-cross-origin’ which dictates what to be sent in Referer request header. If the website doesn’t set the Referrer-Policy, browser default one would be picked. Please refer to for more details. For chrome browser, the default is ‘strict-origin-when-cross-origin’ starting version 85. For firefox, it is ‘no-referrer-when-downgrade’.
The browsers treat it as a cross-origin request and blocks the call.
Typically, these are not blocked when using a vanity URL where the domain is the same. This appears to be your case (bidev.pc.com and sandbox.pc.com)
Do you have screenshot of Console > Safe Domains?
Do you have an HTTP Server (Apache, Oracle, Other) front-ending your OAS?Which browsers are you testing with?
0 -
Yes, we have same domain. Sub-domain is different.
Yes, we have Apache front-ending OAS, Apache is mainly for SAML SSO between website and OAS.
I am testing with Chrome and Firefox and both are having issues.
0 -
The CORS block you are showing appears to say it's not a BI side issue but an issue with sandbox.pc.com blocking bi:
from origin 'https://sandbox.pc.com' has been blocked by CORS policyif the origin is sandbox.pc.com when the request leaves sandbox.pc.com you have to inject a:
Access-Control-Allow-Origin xxxx.xxx.com
When the request leaves sandbox.com
What is sandbox.com and share with us the details of the request headers for the specific request that's being blocked.
0 -
@SteveF-Oracle When I directly embed the OAS URL I do not see the CORS issues. But when the URL is Apache (routing to OAS), the CORS issue for font is coming.
I have tried adding Access-Control-Allow-Origin header in httpd.conf, ssl.conf.. but no luck.
0 -
@BrandonH The request headers for blocked request:
GET /dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/OracleSansUI_W_Bd.woff HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Host: bidev.pc.com
Origin: https://sandbox.pc.com
Referer: https://bidev.pc.com/dv/static/application/1.0.0.39f2e3555343/application.css
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"0 -
@Rav Singh
Can you change your Safe Domains page from:https://sandbox.pc.comto
*.pc.comRe-test.
If still an issue, via the Apache HTTP Server, then you potentially may need a solution in the HTTP Server .htaccess fileFilesMatch "\.(svg|ttf|otf|eot|woff)$"> <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "*" </IfModule> </FilesMatch>Note: The '*' allows every to access the files in the file match, you can limit it, see your HTTP Server documentation.
You can test access to the .woff file via the HTTP Server using curl command
Other comments, welcomed.0 -
Can you confirm the following assumptions:
sandbox.pc.com:
- Some website that you are embedding OAS content into
bidev.pc.com:
- Apache webserver that's infront of OAS / DV?
What is the domain/url of the direct route to oas/dv? and that direct route (nonapache) I'm assuming is non https? eg
- 10.25.15.33:7502
- hostname.pc.com:7502
On sandbox.pc.com when you embed non-https content, I think you have to give it a pretty big security exemption. If non-https content is embedded CORS is irrelevant, my understanding is it only applies to https communication.
0 -
Overall, I'm not 100% sure which side to look at this from, sandbox.pc.com or bidev.pc.com
What we know is the following from the blocked request he sent above:
The GET Request is to devbi.pc.com:
GET /dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/OracleSansUI_W_Bd.woff HTTP/1.1
The origin of the request is:
Origin: https://sandbox.pc.com
Since the origin of the request is not BI / DV, then whatever headers get set by the BI/ DV application via the safe domains and .htaccess would not apply to this outgoing request?
I read this as the request from sandbox.pc.com going out to bidev.pc.com is being blocked. So is it blocked on the bidev.pc.com side or the sandbox.pc.com side? If I understand CORS, its neither, the browser is blocking it, and the only way in this scenario to avoid it would be for sandbox.pc.com to send out headers saying allow origin devbi.pc.com
0 -
Yes, that is right.
sandbox.pc.com: — Some website that you are embedding OAS content into
bidev.pc.com: — Apache webserver that's infront of OAS / DV
Apache to OAS is https.
Below is in workers.conf
ProxyPreserveHost On
<Proxy "balancer://workers">
BalancerMember "https://devbi1-vip.pc.com:9404"
ProxySet lbmethod=bytraffic
</Proxy>0
