How to handle pre-flight checks in CSP?

Question

Question

Sean Connelly · May 17, 2017

From a browser, an XMLHttpRequest to a CSP page on a different server will obviously hit the CORS security check.

To get around this I can set the Access-Control-Allow-Origin header on that particular CSP class.

However, setting any request headers on the XMLHttpRequest object will trigger a pre-flight OPTIONS request.

This OPTIONS request is not handled by the target CSP page and the Access-Control-Allow-Origin header is never set, triggering a CORS error.

I can see in the new REST class that it can get a handle on the OPTIONS request but standard CSP pages don't seem to get them.

Are there any solutions for doing this in standard CSP such that it will work with older versions of Caché?

It currently feels like the answer is no, so I am looking at JSONP as an alternative, but would appreciate if anyone has managed to solve this without a hack. I also want to avoid using a proxy which is what I normally always use.

Sean.

Discussion (3)1

Log in or sign up to continue

Patrick Newton · May 23, 2017

Extending CORS support to CSP and not just REST is planned work but we do not have an ETA as yet

0 0

score 0 · Answer 1 · 2017-05-23T13:27:05-04:00

Sean Connelly · May 23, 2017

Thanks for replying.

Can we assume this will not be back ported?

0 0

score 1 · Answer 2 · 2017-05-23T13:54:55-04:00

No, you can't assume that. This is a significant feature that many customers will need. Sorry but I can't say more than that ;-)