I am developing right now some dashboards that connect to epicor 10. We are a Multi-tenant SaaS customer, so we had to go over a lot to figure out how to connect to the ReST API. I got it running with some Ajax and Javascript. It looks pretty neat, still a lot of work to do.
I didi it in pilot and chrome and no problems. But whenever I changed it to production environment I got a message about not CORS in chrome. Anyone can provide some help on that? Could it be the IIS?
Thatâs Cross Domain Request Issue a Browser Security Feature. You can disable CORS in the web.config of your app servers. Add the following appSetting
<add key="CorsOrigins" value="*" />
NOTE THIS IS A POTENTIAL SECRITY RISK. Read about CORS before making this change.
So what would be the right way to go with it?
Why am I getting it in the first place, it is with production database only. With Pilot I am not getting this error message.
Thanks!
Instead of * you should narrow it down to specific domains that you want to allow.
Maybe someone already did it in Pilot? Or is the App you rare hosting in the same server as pilot?
No, the âwebsite/appâ I am coding is in local, I am just using ajax to bring data from out server. Like I mentioned we are a cloud based EPICOR customer, we are a multi-tenant environment.
So that is why I find interesting how come in pilot I am not getting that error message, no one else has done this before here.
So in domains would I put the EPICOR server? or the local IP address from the machine I am running?
The domain / ip of the machine the request is coming from (I imagine) I havenât tried a specific domain
you would need to put exact schema domain and port you are connecting from.
If your script is running on your local machine like http://localhost:8080, you would need to put this in CorsOrigin.
But if * is used, then it should work for any address.
Okay, so it would be better to only allow a specific domain to do that. Thanks for that clarification. Now where would I put that code? where would I find the web.config file?
Thanks!
Itâs in your app server web.config
So if you are in multi-tenant or dedicated tenant saas then you donât actually control the cors origins setting or the web.config file - we do. So I recommend you reach out to the SaaS Ops team about it via epicor support.
BTW I know for a fact that weâre allowing open cors as a standard part of SaaS configuration rather than whitelisting each consumer because sadly cors doesnât actually support a discrete whitelist of domains. You can specify * for all or one specific domain and thatâs it.
Jose is right that there are some security implications to open cors (eg. a website hosted anywhere is allowed to try to call epicor saas rest services), but theyâre fairly minor for us because our apis require authentication. So long as you are careful with the epicor auth token you get (like donât store it in a cookie that any website can read, just your own) then youâre fine.
Thanks Brian. But would you be abel to answer why with Pilot it did not pop up?
I am using brackets to develop the app btw.
Each erp appserver needs to be configured to allow this access so my best guess is pilot has this configuration but one of the live instances doesnât.
And this appserver configuration is something we have to do, or is it something Saas Cloud team needs to do?
Thanks!
This is the message I am receiving .
Failed to load https://XXXXX Response to preflight request doesnât pass access control check: No âAccess-Control-Allow-Originâ header is present on the requested resource. Origin âhttp://XXXâ is therefore not allowed access. The response had HTTP status code 401.
You need to contact Saas Cloud team to update web.config
Thanks! that did the trick, they had to enable it from their side.
Iâve been having a different CORS issue while calling the REST api. Iâm getting a 403 error when making REST calls, with an error message of âResponse for preflight does not have HTTP ok status.â To try and get by this error I added the line Jose gave up above and Iâve added this to the web.config:
<cors enabled="true" failUnlistedOrigins="true">
<add origin="localhost:50134" allowCredentials="true">
<allowHeaders allowAllRequestedHeaders="true"></allowHeaders>
<allowMethods>
<add method="GET"/>
<add method="PUT"/>
<add method="POST"/>
<add method="DELETE"/>
<add method="OPTIONS"/>
</allowMethods>
</add>
</cors>
I havenât seen anybody else having this error on E10 help, so Iâm not sure why we are the only ones having this issue.
The code you added is not necessary for REST.
The only thing you should have in web.config is <add key="CorsOrigins" value="*" /> in appSettings section.
Ok so would this 403 error be related to certificates? Thatâs what itâs looking like right now.
You need to find out what gives you 403 or other error and fix it. Then CORS will work, I think.
Look into Event Viewer on server, are there related errors in epicor and application logs.