Hmm, haven't you gone round in a circle here? Isn't this what introducing the reverse proxy should have solved? You should not have to mess around with CORS to get this to work. If the index.html is being served from the same host as the API (or apparently the same host because of the reverse proxy) then it should just work. If you are serving the index.html from a local web server on your PC then you must configure this as a reverse proxy as well so that it redirects API calls to the real host. If you are just opening the HTML file directly in the browser then it will not work, it needs to be served from a local web server like this, for example, https://www.npmjs.com/package/http-server However, in both the latter cases it wouldn't work at all unless you are using absolute URLs for your AJAX API calls, which you shouldn't be, so all AJAX calls should be to '/api/someendpoint...' not 'http://an.ip/api/someendpoint'.

It sounds to me like you're just opening the index.html locally and in it you have used absolute URLs to the API, which won't work, if so, try this.

1) change any absolute URLs in your index.html to relative ones
2) install http-server
> npm install http-server -g
3) cd <to_where_your_index.html_is>
4) run the server, proxying unknown URLs to your API...
> http-server --proxy http://youribmi/api
5) point your browser at localhost:8080 and your page should work as expected

Tim.
________________________________
From: WEB400 <web400-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Booth Martin <booth@xxxxxxxxxxxx>
Sent: 05 April 2019 20:55
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: [WEB400] CORS header 'Access-Control-Allow-Origin'

Security issues scare me. It seems like a really easy place to make
oneself look like an idiot.

Here is the scenario: I have a web services service available. It is
reachable over the internet (if one is inside the VPN) from a browser
line at, say, _https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fan.ibm.i%2Fapi%2FdayName%2F2019-03-15_&amp;data=02%7C01%7C%7Caa9b552198414b68b83308d6b9f8758f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900874100588410&amp;sdata=BdMM%2B3KWKq7i1vJZnu6q6dNzF82iQ3o5HpSj1QFXOSg%3D&amp;reserved=0 and returns:

dayOut "2019-03-15 is a Friday"

which is what I expect and want.

However if I use that link in an index.html on the same desktop I get
"Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at http://.../api/dayName/2019-03-15. (Reason: CORS
header ‘Access-Control-Allow-Origin’ missing).

OK. I get it. There is a security issue that is being solved. Good.

So I read about what to do and realize this is way out of my
wheelhouse. What have others done?



--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fweb400&amp;data=02%7C01%7C%7Caa9b552198414b68b83308d6b9f8758f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900874100588410&amp;sdata=yLot5mDMm%2Bxyq2Ik4OffCaBwhCdkvwMdkP5jcfg%2Fitk%3D&amp;reserved=0
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fweb400&amp;data=02%7C01%7C%7Caa9b552198414b68b83308d6b9f8758f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900874100588410&amp;sdata=6DxkCNNWqF5xbG1XrjZfN1MP%2FoPDQgkArtGQlwpCGWk%3D&amp;reserved=0.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.