Orchestrator API access - CORS policy

celfa · March 7, 2019, 4:06pm

Hi guys,

I’m trying to start a job from a simple HTML file with JavaScript. Everything works through Swagger where I’m able to authenticate, get processes, get robot and post a job to the queue. But with the basic JavaScript I’m not even able to authenticate?

The error I’m getting in the console:
Access to XMLHttpRequest at 'OrchestratorURL' from origin 'https://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

I’ve tried to google the issue and a few people were suggesting to put in the following in a .htacces file:
Access-Control-Allow-Origin’: ‘*’

All help and inputs are very appreciated

qbrandon · March 19, 2019, 1:50am

You need to whitelist https://localhost using the AcceptedRootUrls in your Orchestrator’s Web.config

celfa · March 19, 2019, 7:11am

Thanks for your input @qbrandon

I’ve now added the following:
<add key="AcceptedRootUrls" value="https://localhost" />

In the Web.config file, and restarted the IIS but nothing changed. I still got the same error. Any suggestions? Did I add it correctly?

Lucas_MICHALSKI · March 19, 2019, 8:55am

i’ve the same error, but i’m actually on platform.uipath.com not on any installation of my own, so i can’t edit any config file, i was thinking that the demo allow all devices to request to the server by default ??

qbrandon · March 19, 2019, 9:42am

Apologies, I didn’t properly double check, this is about request origin:

Looks like this is just about manually configuring this as a custom header in IIS: customHeaders
In your case, it would be safer to specify https://localhost rather than completely disable XSS checks with *

celfa · March 19, 2019, 12:33pm

Thanks again @qbrandon

I’ve added <add name="Access-Control-Allow-Origin" value="*" /> to my custom headers below:

<httpProtocol>
<customHeaders>
<clear />
<remove name="X-Powered-By" />
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
<remove name="Server" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="DENY" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>

And restarted the IIS and I still got the same response:

Access to XMLHttpRequest at 'https://OurURL/api/Account/Authenticate' from origin 'https://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

Do you have more suggestions?

qbrandon · March 19, 2019, 1:28pm

At this point, it may be about who is handling the OPTIONS method…
I do not have a local environment to try this right now, but can you check this type of settings for the OPTIONS verb?

It may need some tuning (since our API includes the PATCH verb as well for example)

rlove · March 20, 2019, 1:29pm

Please try again. We have updated settings on platform.uipath.com

Lucas_MICHALSKI · March 20, 2019, 2:10pm

Thank you for your intervention, it’s working perfectly now !

celfa · March 22, 2019, 12:50pm

@rlove any chance you could enlighten us in what you have changed to get this to work on platform.uipath.com? Did you make any changes on your backend?

We have tried @qbrandon proposals now and we are still facing the same issues. However, if we run Chrome with --disable-web-security then the API works. So it must be something with the browser security/policies.

Any input is highly appreciated

loginerror · March 22, 2019, 1:08pm

Hi @celfa

Yes, the setting was updated on our installation of Orchestrator CE. I’ll see if I can get you the exact setting location.

qbrandon · March 22, 2019, 1:52pm

What did you guys allow? Localhost or *?

celfa · March 22, 2019, 2:07pm

We tried both. But currently the IIS is set to *

loginerror · March 25, 2019, 7:21am

Hi @celfa

This should be of help here:
https://social.msdn.microsoft.com/Forums/azure/en-US/5bd37aa7-eed7-4ddd-a560-c36a09e1674d/how-can-i-enable-the-cors-on-my-app-hosted-on-azure-portal?forum=windowsazurewebsitespreview

It’s the configuration that was done for Platform.

celfa · March 26, 2019, 12:53pm

That is basically what we already have tried.

Our last shot was to set up a CORS proxy with CORS Anywhere. But that did not change anything either.

Any other suggestions?

celfa · March 29, 2019, 11:24am

So finally we figured out what the issue was!

For a couple of weeks ago, we installed a CORS module on the IIS and changed the web.config accordingly. However, the changes in the web.config related to the CORS module did not work at all. So we removed the CORS module part again. But what we realized was that the IIS server needs to be rebooted after a module is installed. So after a complete reboot, we could add the CORS module section to the web.config which resulted in a working API

system · April 1, 2019, 11:24am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to enable CORS Something Else question	3	2102	May 18, 2022
CORS error when post request to startjob Orchestrator Help orchestrator , api	2	1617	March 27, 2019
Orchestrator Authentication not working with Javascript XHR request Help orchestrator , question	2	1081	October 20, 2020
Enable CORS policy for Cloud Orchestrator Help orchestrator	42	5201	August 8, 2019
CORS error on sending start job api post request to orchestrator Orchestrator orchestrator , question	1	275	July 17, 2023

Most Active Users - Yesterday
Anil_G
ashokkarale
jinal.shah
Gautham_Pattabiraman
postwick
chandreshsinh.jadeja
vrdabberu
Ajay_Mishra
sven.wullum1
Vyshnavi_Nalumachu
More details...

Orchestrator API access - CORS policy

Related Topics