AnsweredAssumed Answered

Disable CORS Discussion

Question asked by mflawton on Oct 7, 2013
Latest reply on Oct 7, 2013 by DSwingley-esristaff
I've been ignoring the "Origin is not allowed by Access-Control-Allow-Origin" errors (aka the CORS error) in my apps for many months now, like a good ArcGIS JS API developer. I haven't paid much attention to CORS, but finally decided to devote a little time to researching it. I get the error because I package some Esri services onto my map. If I understand the error correctly, it is getting thrown because I am using web services in my app from an external server that either:

a) Doesn't like that my server is connecting to it because my server has not been whitelisted by CORS

or

b) My server doesn't like that I am connecting to the Esri server because it hasn't been whitelisted by CORS

I'm not sure exactly which scenario is correct, but nonetheless I get the error.

In reading, I stumbled across Kelly Hutchins's post from June 2012 here:

http://forums.arcgis.com/threads/59988-Issue-Upgrading-to-version-3.0?p=207055&viewfull=1#post207055

I've probably read that post a half dozen times over the last 10 months, but I stopped to actually understand what it was telling me. There is a parameter called "esri.config.defaults.io.corsDetection", that has apparently existed since JSAPI 3.0, that can be set to "false". So I went ahead and added this line to my Init function and *poof!*, no more CORS error.

So why don't I see this as a solution in the various CORS related posts on these forums? Instead I see Esri staff saying "just ignore the error". Is it bad to disable the CORS detection? Is it doing something that I don't want?

I understand the idea behind CORS, that it is to provide more secure access between dynamic data services, etc., but it seems to be slow to adoption, so why wouldn't I just disable it for now? Has everybody else known about this solution and I am just now figuring it out?

Outcomes