Orchestrator API access - CORS policy

Hi guys,

I’m trying to start a job from a simple HTML file with JavaScript. Everything works through Swagger where I’m able to authenticate, get processes, get robot and post a job to the queue. But with the basic JavaScript I’m not even able to authenticate?

The error I’m getting in the console:
Access to XMLHttpRequest at 'OrchestratorURL' from origin 'https://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

I’ve tried to google the issue and a few people were suggesting to put in the following in a .htacces file:
Access-Control-Allow-Origin’: ‘*’

All help and inputs are very appreciated :slight_smile:

You need to whitelist https://localhost using the AcceptedRootUrls in your Orchestrator’s Web.config

1 Like

Thanks for your input @qbrandon :smiley:

I’ve now added the following:
<add key="AcceptedRootUrls" value="https://localhost" />

In the Web.config file, and restarted the IIS but nothing changed. I still got the same error. Any suggestions? Did I add it correctly?

i’ve the same error, but i’m actually on platform.uipath.com not on any installation of my own, so i can’t edit any config file, i was thinking that the demo allow all devices to request to the server by default ??

Apologies, I didn’t properly double check, this is about request origin:

Looks like this is just about manually configuring this as a custom header in IIS: customHeaders
In your case, it would be safer to specify https://localhost rather than completely disable XSS checks with *

Thanks again @qbrandon :+1:

I’ve added <add name="Access-Control-Allow-Origin" value="*" /> to my custom headers below:

<clear />
<remove name="X-Powered-By" />
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
<remove name="Server" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="DENY" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
<add name="Access-Control-Allow-Origin" value="*" />

And restarted the IIS and I still got the same response:

Access to XMLHttpRequest at 'https://OurURL/api/Account/Authenticate' from origin 'https://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

Do you have more suggestions?

At this point, it may be about who is handling the OPTIONS method…
I do not have a local environment to try this right now, but can you check this type of settings for the OPTIONS verb?

It may need some tuning (since our API includes the PATCH verb as well for example)

Please try again. We have updated settings on platform.uipath.com

1 Like

Thank you for your intervention, it’s working perfectly now !

@rlove any chance you could enlighten us in what you have changed to get this to work on platform.uipath.com? Did you make any changes on your backend?

We have tried @qbrandon proposals now and we are still facing the same issues. However, if we run Chrome with --disable-web-security then the API works. So it must be something with the browser security/policies.

Any input is highly appreciated :+1:

Hi @celfa

Yes, the setting was updated on our installation of Orchestrator CE. I’ll see if I can get you the exact setting location.

What did you guys allow? Localhost or *?

We tried both. But currently the IIS is set to *

Hi @celfa

This should be of help here:

It’s the configuration that was done for Platform.

That is basically what we already have tried.

Our last shot was to set up a CORS proxy with CORS Anywhere. But that did not change anything either.

Any other suggestions?

So finally we figured out what the issue was! :+1:

For a couple of weeks ago, we installed a CORS module on the IIS and changed the web.config accordingly. However, the changes in the web.config related to the CORS module did not work at all. So we removed the CORS module part again. But what we realized was that the IIS server needs to be rebooted after a module is installed. So after a complete reboot, we could add the CORS module section to the web.config which resulted in a working API :clap:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.