CORS Issue on Preflight (OPTIONS) Check

Question

Question

Colin Nagle · Oct 24

#Access control #API #Authentication #HTML #OAuth2 #REST API #Security #InterSystems IRIS

I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.

I've already set Parameter HandleCorsRequest = 1; on the spec class and All the endpoints I am have (a mix of GET, POST, PATCH and DELETE) are working from postman without issue, the problem is when consuming from the web front-end and the preflight checks the browser instigates. Most of the endpoints work in the browser, but some are triggering the preflight (OPTIONS) check causing the CORS issue.

This is what I am seeing in the browser:-

Access to XMLHttpRequest at 'endpoint/url' from origin 'website/url' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This is what I see in the Web Gateway HTTP Trace:-

Show Response
OPTIONS myroute HTTP/1.1
Host: myhost
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization,content-type
Origin: myorigin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Referer: myorigin
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
X-Dynatrace-Application: appname
X-Dynatrace-Origin-Url: myurl
X-Dynatrace-Requeststate: agentId=agentid
X-Dynatrace: longstring
Traceparent: 00-e5bd3bc715eb3be6268511f915fe7d9b-ea15bf233d8a175b-01
Tracestate: f987396-b7c395b8@dt=fw4;7;572083a4;be20;a;0;0;2ab;0c92;2h01;3h572083a4;4hbe20;5h01;7hea15bf233d8a175b
X-Ruxit-Apache-Servernameports: serverurl

Show Request
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Thu, 24 Oct 2024 11:40:13 GMT
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Pragma: no-cache
Content-Length: 0

I've tried overriding the OnHandleCorsRequest in the disp class, but I don't think it is even getting there.

Any help much appreciated.

Thanks

Colin

Product version: IRIS 2022.1

$ZV: IRIS for Windows (x86-64) 2022.1.2 (Build 574U) Fri Jan 13 2023 15:00:26 EST

Discussion (4)2

Log in or sign up to continue

Alexander Koblov · Oct 25

In Audit -> Configure System events in the Portal
https://docs.intersystems.com/iris20242/csp/docbook/DocBook.UI.Page.cls?...

0 0

Colin Nagle · Oct 25

Thanks, this is resolved. preflight check was a red herring, my call was being made slightly differently due to CASE! I hadn't noticed the single letter case difference until just now, and people in the same situation, plus the 'important note' in the documentation had led me to incorrectly believe CORS was at fault.

1 0

score 0 · Answer 1 · 2024-10-25T04:10:51-04:00

HI Colin.

Enable Audit, LoginFailure and Protect events. Reproduce the error and see if anything is Logged in the Audit

See the Important note in this section of the documentation:
https://docs.intersystems.com/iris20242/csp/docbook/DocBook.UI.Page.cls?...

score 0 · Answer 2 · 2024-10-25T04:39:20-04:00

Hi Alexander,

Thanks very much for your response. What's really strange about my scenario is that if I use a REST client to hit that OPTIONS endpoint, I get back a 200 response, but from the browser it is getting a 404! I've even tried setting up all of the headers exactly how the axios/browser is packaging them up and it still works from the REST client. I don't see what would be different.

I've looked over those doc, I think I've already covered that off, but I'm going to double check.

On the audit, where can I enable those events please?

Thanks again

Colin