CORS Issue with Epicor REST

Mario.Cortes · February 15, 2018, 4:28pm

I am developing right now some dashboards that connect to epicor 10. We are a Multi-tenant SaaS customer, so we had to go over a lot to figure out how to connect to the ReST API. I got it running with some Ajax and Javascript. It looks pretty neat, still a lot of work to do.

I didi it in pilot and chrome and no problems. But whenever I changed it to production environment I got a message about not CORS in chrome. Anyone can provide some help on that? Could it be the IIS?

josecgomez · February 15, 2018, 4:33pm

That’s Cross Domain Request Issue a Browser Security Feature. You can disable CORS in the web.config of your app servers. Add the following appSetting

    <add key="CorsOrigins" value="*" />

NOTE THIS IS A POTENTIAL SECRITY RISK. Read about CORS before making this change.

Mario.Cortes · February 15, 2018, 4:49pm

So what would be the right way to go with it?

Why am I getting it in the first place, it is with production database only. With Pilot I am not getting this error message.

Thanks!

josecgomez · February 15, 2018, 4:50pm

Instead of * you should narrow it down to specific domains that you want to allow.
Maybe someone already did it in Pilot? Or is the App you rare hosting in the same server as pilot?

Mario.Cortes · February 15, 2018, 5:02pm

No, the “website/app” I am coding is in local, I am just using ajax to bring data from out server. Like I mentioned we are a cloud based EPICOR customer, we are a multi-tenant environment.

So that is why I find interesting how come in pilot I am not getting that error message, no one else has done this before here.

So in domains would I put the EPICOR server? or the local IP address from the machine I am running?

josecgomez · February 15, 2018, 5:29pm

The domain / ip of the machine the request is coming from (I imagine) I haven’t tried a specific domain

Olga · February 15, 2018, 5:35pm

you would need to put exact schema domain and port you are connecting from.
If your script is running on your local machine like http://localhost:8080, you would need to put this in CorsOrigin.
But if * is used, then it should work for any address.

Mario.Cortes · February 15, 2018, 6:10pm

Okay, so it would be better to only allow a specific domain to do that. Thanks for that clarification. Now where would I put that code? where would I find the web.config file?

Thanks!

josecgomez · February 15, 2018, 6:27pm

It’s in your app server web.config

bconner · February 16, 2018, 5:40am

So if you are in multi-tenant or dedicated tenant saas then you don’t actually control the cors origins setting or the web.config file - we do. So I recommend you reach out to the SaaS Ops team about it via epicor support.

BTW I know for a fact that we’re allowing open cors as a standard part of SaaS configuration rather than whitelisting each consumer because sadly cors doesn’t actually support a discrete whitelist of domains. You can specify * for all or one specific domain and that’s it.

Jose is right that there are some security implications to open cors (eg. a website hosted anywhere is allowed to try to call epicor saas rest services), but they’re fairly minor for us because our apis require authentication. So long as you are careful with the epicor auth token you get (like don’t store it in a cookie that any website can read, just your own) then you’re fine.

Mario.Cortes · February 16, 2018, 5:00pm

Thanks Brian. But would you be abel to answer why with Pilot it did not pop up?

I am using brackets to develop the app btw.

bconner · February 16, 2018, 5:18pm

Each erp appserver needs to be configured to allow this access so my best guess is pilot has this configuration but one of the live instances doesn’t.

Mario.Cortes · February 16, 2018, 9:10pm

And this appserver configuration is something we have to do, or is it something Saas Cloud team needs to do?

Thanks!

Mario.Cortes · February 16, 2018, 9:41pm

This is the message I am receiving .

Failed to load https://XXXXX Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://XXX’ is therefore not allowed access. The response had HTTP status code 401.

Olga · February 16, 2018, 9:51pm

You need to contact Saas Cloud team to update web.config

Mario.Cortes · February 20, 2018, 4:37pm

Thanks! that did the trick, they had to enable it from their side.

Mason_Zeimet · October 10, 2018, 2:43pm

I’ve been having a different CORS issue while calling the REST api. I’m getting a 403 error when making REST calls, with an error message of “Response for preflight does not have HTTP ok status.” To try and get by this error I added the line Jose gave up above and I’ve added this to the web.config:

<cors enabled="true" failUnlistedOrigins="true">
<add origin="localhost:50134" allowCredentials="true">
	<allowHeaders allowAllRequestedHeaders="true"></allowHeaders>
	<allowMethods>
		<add method="GET"/>
		<add method="PUT"/>
		<add method="POST"/>
		<add method="DELETE"/>
		<add method="OPTIONS"/>
	</allowMethods>
</add>
</cors>

I haven’t seen anybody else having this error on E10 help, so I’m not sure why we are the only ones having this issue.

Olga · October 10, 2018, 4:22pm

The code you added is not necessary for REST.
The only thing you should have in web.config is <add key="CorsOrigins" value="*" /> in appSettings section.

Mason_Zeimet · October 10, 2018, 4:27pm

Ok so would this 403 error be related to certificates? That’s what it’s looking like right now.

Olga · October 10, 2018, 4:44pm

You need to find out what gives you 403 or other error and fix it. Then CORS will work, I think.

Look into Event Viewer on server, are there related errors in epicor and application logs.