+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / CORS issue with Sitefinity 9.1 No 'Access-Control-Allow-Origin'

CORS issue with Sitefinity 9.1 No 'Access-Control-Allow-Origin'

6 posts, 0 answered
  1. robert
    robert avatar
    1 posts
    Registered:
    08 Apr 2016
    26 Jul 2016
    Link to this post

    Hello everyone,

    We were trying to enable CORS on our Staging server and no matter what setting we enable or tweak in our security layer it appears the CORS functionality is not working with Sitefinity although its apparently enabled. 

    To ensure it was not a problem with the configuration on the Staging server, I downloaded the latest Sitefinity Empty SampleProject found here: https://github.com/Sitefinity-SDK/Telerik.Sitefinity.Samples.EmptyProject/tree/release91  and I was able to reproduce the exact same problem locally.

    Attached you will find two screenshots.

    WebRequest with Error.png will show you the entire debug window from the developer tools from within Google Chrome.

    WebService options.png shows you the options set against that specific web service and showing CORS is enabled.

    Also with a direct quote from the official Sitefinity Documentation on CORS: http://docs.sitefinity.com/define-the-access-permissions  

    "Enter *
    Every request from every domain will be allowed. We do not recommend this, because there may be malicious users who would try to exploit the service. We recommend to specify only domains that are trusted."

    Hopefully this can be addressed and thanks to anyone who has any information or suggestions on this issue. 

  2. Kevin
    Kevin avatar
    0 posts
    Registered:
    23 Sep 2016
    01 Feb in reply to robert
    Link to this post
    Was there any feedback at all on this?  I am having the same issue with both 9.1 and in 9.2.
  3. Victor Leontyev
    Victor Leontyev avatar
    65 posts
    Registered:
    01 Jul 2014
    02 Feb in reply to Kevin
    Link to this post

    Hi Kevin,

    You can enable CORS for specific locations with  web.config:

    <location path="api/something">
        <system.webServer>
           <httpProtocol>
              <customHeaders>
                 <add name="Access-Control-Allow-Origin" value="*" />
              </customHeaders>
           </httpProtocol>
        </system.webServer>
      </location>

     

  4. Kevin
    Kevin avatar
    0 posts
    Registered:
    23 Sep 2016
    02 Feb in reply to Victor Leontyev
    Link to this post

    First, thank you for the response!!!

    Is the <location>  tag needed?  Not sure what that is...  also this should go in between <configuration> tags?

  5. Joe
    Joe avatar
    0 posts
    Registered:
    10 Jun 2010
    09 Feb in reply to Victor Leontyev
    Link to this post
    Hi Victor, can you confirm Kevin's reply? We just had an issue where the rocketship loaded but in watching the network trace we would get the CORS error. Manually restarting the website in IIS cleared it up.
  6. Victor Leontyev
    Victor Leontyev avatar
    65 posts
    Registered:
    01 Jul 2014
    10 Apr
    Link to this post

    Location tag is just limiting the rule.

    If you want to apply CORS rule (Access-Control-Allow-Origin:*) for all website, you don't need to specify location tag. 

    If you want to apply it only for specific URLs, you need to specify location.

    You can check details in msdn: https://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.71).aspx

6 posts, 0 answered