topic Re: CORS and Web-Tier Secured Services in ArcGIS JavaScript Maps SDK Questions

CORS and Web-Tier Secured Services

StephenWay — Thu, 13 Aug 2015 15:14:00 GMT

Hi Everyone!

I have a situation where my application will be required to access web-tiered services across different domains.

I have added the following to the web config of web adapter:

</customHeaders>

However, when testing in chrome, I receive the following error in console:

XMLHttpRequest cannot load <url to secured service>. the Access-Control-Allow-Origin header contains multiple values 'http://sub.domain.com,http://sub.domain.com' .http://sub.domain.com is therefore not allowed access.

I have checked everything, i have definitly only configured one header in the web.config. I am using the testing tool available on the enable cors site.

Against an unsecured sevrice, it works fine as we don't have to set the allow credentials header, but with secured services, it is not working.

Have also tried firefox, and i do not have IE available in this environment.

Thanks for anyone who can help!

Steve

Re: CORS and Web-Tier Secured Services

JeffJacobson — Fri, 10 Dec 2021 21:58:32 GMT

Have you tried adding a remove to ensure there aren't duplicates from a higher level?

<customHeaders>
    <remove name="Access-Control-Allow-Origin" />
    <add name="Access-Control-Allow-Credentials" value="true" />
    <add name="Access-Control-Allow-Origin" value="http://sub.domain.com" />
</customHeaders>

Re: CORS and Web-Tier Secured Services

StephenWay — Fri, 14 Aug 2015 15:14:05 GMT

Hi Jeff, thank you for replying, that is really useful to know.

Actually, the issue was to do with some inheritance crazy-ness going on with IIS.

However, it seems, that using web app builder, I am getting a 401 immediately - it is not even prompting for a username/password.

I feel like i am close, just not close enough!!

If anyone has any experience of CORS on web-tier secure services using Web App builder, I would appreciate.

Thanks,

Steve

Re: CORS and Web-Tier Secured Services

ColeAndrews — Fri, 22 Jan 2016 00:10:47 GMT

Stephen, did you eventually have success on this?

Re: CORS and Web-Tier Secured Services

GertConradie — Wed, 20 Apr 2016 22:18:14 GMT

Same question - I get the following from WAB:
The 'Access-Control-Allow-Origin' header contains multiple values 'https://localhost:3344, *', but only one is allowed. Origin 'https://localhost:3344' is therefore not allowed access.

Its a bit weird - I am very certain that this did not happen before, only notice it now when look back on something i worked n before. It seems to me the rest of the app/layers is fine.

The '*' is in my web.config of my arcgis server REST endpoint. If i take it out of there, then only one is left and it work. Unfortunately I can’t take it out of there to allow other clients access.

So is WAB always adding the header value, and if yes - can I stop it from doing it?

Re: CORS and Web-Tier Secured Services

BillGrow — Wed, 20 Apr 2016 22:56:13 GMT

Hi all,

You may want to try implementing the ESRI resource proxy in your application: https://github.com/Esri/resource-proxy

Keep in mind, any time you use a referrer header origin for authentication, these are easily spoofed with simple 'modify header' tools such as this firefox extension: https://addons.mozilla.org/en-US/firefox/addon/modify-headers/

Any stored authentication, allowed by a referrer header, can be easily bypassed and open a pretty large security hole in your system. So, you'll still want to use some sort of token based, credential authentication with your secure services.

Re: CORS and Web-Tier Secured Services

GertConradie — Thu, 21 Apr 2016 10:59:13 GMT

Thanks Bill

I have to ArcGIS endpoints - one secured and the other not.

server.com/arcgis/ (secured)
server.com/arcgis2/ (unsecured)

For the secured one, I already use the ESRI resource proxy - with no “The 'Access-Control-Allow-Origin' header contains multiple values” warnings.

No problems as well if I use the ESRI resource proxy with the unsecured one. - But then I could have secured everything / don’t over public access to some published services.

When one look at the dot.net version of the ESRI resource proxy – the function “private void copyHeaders” don’t exclude 'Access-Control-Allow-Origin' headers in the copy, which make me assume that:

WAB don’t add the header when a proxy is used. (make sense – it’s not a ‘client’ any more accessing the REST service)
WAB add the header when no proxy is used. Can I stop it from doing it, or should I take out the 'Access-Control-Allow-Origin' section (included below) in the web.config of my unsecured endpoint? That would stop other (none-WAB) JavaScript API applications from using it. (Unless a proxy is used from there.)

Would the WAB app config file attribute “authorizedCrossOriginDomains” be used?

</customHeaders>

</httpProtocol>

Re: CORS and Web-Tier Secured Services

RobertScheitlin__GISP — Thu, 21 Apr 2016 13:22:03 GMT

Gert,

When dealing with esri tech support on a multi ArcGIS Server CORs issue recently I was told that it was the Web Adaptor that was adding the "Access-Control-Allow-Origin" to the header. FYI, it is not WAB that is doing this.

Re: CORS and Web-Tier Secured Services

GertConradie — Thu, 21 Apr 2016 15:10:21 GMT

Thanks Robert, that help to focus my energy.

I played around with the WebAdaptor, add and remove crossdomain.xml & clientaccesspolicy.xml files wich I sort of knew will make no difference as well as trying to move the '<add name="Access-Control-Allow-Origin" value="*" />' to an IIS root folder location. No luck.

I will use the public services via the proxy then - I'm very hestant to tak ethe

Re: CORS and Web-Tier Secured Services

RobertScheitlin__GISP — Thu, 21 Apr 2016 15:24:58 GMT

Gert,

I use to add '<add name="Access-Control-Allow-Origin" value="*" />' to an IIS root folder location on all three of my ArcGIS Servers, but no I only have <remove name="Access-Control-Allow-Origin" /> as Jeff recommended on all three in the web.config of the IIS root folder.

Re: CORS and Web-Tier Secured Services

BillGrow — Thu, 21 Apr 2016 17:23:52 GMT

Could you look in the IIS logs to see which document is actually throwing the error, and where the request is being stopped? It sounds more like an IIS configuration error, than an error in the widely distributed ESRI WebAdaptor.

Also, if ArGIS Server is throwing the error, make sure you are using the most current .net resource proxy code from github. I've had clients simply replace the contents of the folder with the current Master branch and problems are resolved. This piece acts as a wrapper for your application, and if used properly, emulates a same-origin request.

Re: CORS and Web-Tier Secured Services

ColeAndrews — Thu, 21 Apr 2016 17:53:17 GMT

I can confirm this is well. When troubleshooting a connectivity issue between WAB Dev and AGS server, the browser was throwing No Access-Control-Allow-Origin headers in the developer tools, but esri support indicated that error is commonplace and can be ignored. I had found a thread a while back that also said this can be ignored, but can't seem to find it right now.

Re: CORS and Web-Tier Secured Services

GertConradie — Thu, 21 Apr 2016 20:05:59 GMT

I just need to confirm the following:

The .Net resource proxy play no role when I experience the problem, but rather it can be used to bypass/fix my problem. I also use a very recent version for my secured services.
There is no server side error logged/vissible. The problem arrise when the browser look at the headers to decide if it is allowed to display it to you or not. (i.e. you see the message in the console section of your browser)
Something on the server add an additional header value for 'Access-Control-Allow-Origin' that contain the orgin domain value (it change from where I made the call) - which sort of proove that it is not a fixed configuration value, but rather a configuration in IIS/the web adaptor that tell the server/ArcGIS to always add the orgin host value, whatever it might be.
It is definately not WAB - I could replicate the problem with a very basic Javascript API map that request a layer - it behave the exact same way as WAB.

Robert, I tried the '<remove name="Access-Control-Allow-Origin" />', but it have no affect. What I do know is that the 'add' in the same web.config file for the web adaptor is used - any changes to replace the '*' value become visible in the multiple header's listed in the browser.

For now, I will remove the '<add name="Access-Control-Allow-Origin" value="*" />' from the adaptor's web.config and research it a bit more. All the access methods will keep on working.

I do acknowledge it is very likely a configuration on my server that cause this though, i just dont have an idea on where it can be. (Other than the web.config's in the IIS app/folder tree)

Note my web adoptor version is: 10.4.0

Re: CORS and Web-Tier Secured Services

RobertScheitlin__GISP — Thu, 21 Apr 2016 20:12:44 GMT

Gert,

FYI, I use the remove as the only thing in the custom headers section of my web.config I do not have it and some add

Re: CORS and Web-Tier Secured Services

GertConradie — Thu, 21 Apr 2016 20:29:37 GMT

Hi Robert, yes I had it like that.

I did another test now - if I add '<add name="Access-Control-Allow-Origin" value="gert" />' in the IIS root web.config, then it is indeed removed by the 'remove' in the web adaptor's web.config.

Just as long as there is no '<add name="Access-Control-Allow-Origin" value="*" />' in the web adaptor's web.config all is good.

It sort of proove that the "phantom" header value is being set AFTER the web.config's are parsed/applied.