Community

CORS error in experience builder

4671
7
09-23-2020 01:18 PM
by Anonymous User
Not applicable
‎09-23-2020 01:18 PM

Hi,

My client is getting this CORS error in experience builder:

Access to fetch at 'https://maps.gov.bc.ca/arcserver/rest/services/mpcm/bcgwpub/MapServer/474?f=json' from origin 'https://experience.arcgis.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://governmentofbc.maps.arcgis.com' that is not equal to the supplied origin. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

He added this map service (https://maps.gov.bc.ca/arcserver/rest/services/mpcm/bcgwpub/MapServer/474) to a webmap in ArcGIS Online and save the map.

In experience builder, he is getting the CORS error when trying to select the web map and add data.

I couldn't reproduce the same CORS error the first time, but I could add it the 2nd time.

He couldn't reproduce the issue with sampleserver6 so I think it could be related to some CORS setting on the web server.

Thanks,

Andy

0 Kudos
7 Replies
DavidMartinez
by Esri Regular Contributor
Esri Regular Contributor
‎09-23-2020 02:57 PM

Hi Andy,

This issue has been fixed and will be available in our October release. I was able to load that service without any issues with my local test build. 

Cheers,

David 

0 Kudos
jacbro
by
New Contributor
‎05-06-2021 06:24 AM

Hi,

I have the some issue with a custom image symbol in a web map. With Experience, the layer with this symbol, does not appaear.  With this error message in the console: 

Access to fetch at 'https://www.xxxxx.png' from origin 'https://experience.arcgis.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

is this alos a known issue ?

Thanks,

Jacques

chaims
by
New Contributor II
‎07-16-2021 05:11 AM

Hi @DavidMartinez ,

I'm experiencing what seems to be a similar issue: Embedding an arcgis dashboard in an Arcgis Enterprise 10.9 Experience Builder (using the embed widget), I get a "can't access arcgis organization" error - and developer mode shows a CORS issue. Is there any workaround for this...? - screenshot attached.

Preview file
112 KB
0 Kudos
ErnaldoLumbantobing
by
New Contributor
‎10-06-2021 01:45 AM

Hi @chaims ,

I do have same problem with you, do you have fix the issue?
Kindly need your help for this problem

Thank you

0 Kudos
Jay_Gregory
by
Occasional Contributor III
‎08-04-2022 06:14 AM

We have Enterprise 10.9 and have the exact same issue in trying to embed our own dashboards (same origin, but still getting CORS errors).  Curious if you've upgraded to 10.9.1 and it's been fixed or not?  I know there is a workaround / hack listed below, but generally only do that as a last resort.  

0 Kudos
MirkoMosch_AIDB
by
New Contributor II
‎08-04-2022 07:09 AM

my Workaround was from October 2021 and in January 2022 we installed an new 10.9.1 Environment. I cant remember having these CORS Errors in 10.9.1. The Embed Widget (code wise) looks reworked, functions like checkSafeDomain can still be found. So there is a good chance this issue has been fixed in 10.9.1

MirkoMosch_AIDB
by
New Contributor II
‎10-13-2021 09:32 AM

Hi,

i found this topic as i had the same problem (can't access arcgis organization - error and developer mode shows a CORS issue).  It took me about an Day to figure out the Solution / Hack. 

go to your portal installation dir (c:\program files\arcgis\portal) from there navigate to apps\experiencebuilder\widgets\common\embed. thats the folder of the embed widget, that is causing the CORS Error. 

to understand the problem go into src\runtime and open widget.tsx with an text editor.  go to line 563 and you will find something like sandbox="allow-scripts allow-forms allow-popups allow-presentation allow-popups-to-escape-sandbox" that are the parameters that the embed widget will use with its iframe to embed an url from an unknown source (maybe dangerous). The code is sightly different from 10.8.1 and i think it changed because of security reasons. To get javascript process that part of the code there is a check for "withSandbox" and that variable is set in a function called "checkSafeDomain". Search for that function and you will find an array consisting of two strings 'arcgis.com','esri.com'. these are the two domains considert to be safe. remember these two strings.

 

to fix the problem you have to navigate to the dist\runtime folder. make an backup of widget.js and open it with an text editor.  Search for an array ["arcgis.com","esri.com"] . ist "compressed" javascript and you will find it in line 1 position 5009. Add your own Portal-FQDN to that list.

 

Now you have to clear your browser cache as browsers think js-ressource-files never change. and thats it.

Please be aware that users may be able to embed malicious code by placing it somewhere inside your web / content.