Rally : API request blocked by CORS policy
search cancel

Rally : API request blocked by CORS policy


Article ID: 132599


Updated On:


Rally On-Premise Rally SaaS


If an application is being written that serves pages from an internal web server that will be making requests to the Rally infrastructure, there may be a failure due to CORS policy.  The failure can be observed in the console of the developer tools in the browser that the application is being run in and will appear similar to the following error:

Access to XMLHttpRequest at 'https://rally1.rallydev.com/slm/webservice/v2.0/hierarchicalrequirement?pagesize=1000&fetch=<FormattedID>' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. 


Component: ACSAAS


This is caused by the subscription not being configured to allow CORS requests.

CORS stands for Cross-Origin Resource Sharing and is a mechanism where a web application running from one web server is allowed to access resources on another web server.   For security reasons, this behavior is prevented by default for Rally subscriptions, however it can be enabled to allow these types of requests to be served.

An alternative is to enable JSONP, however CORS is a more modern option and natively handles update capability.  JSONP may be the only option if supporting an older browser is a requirement in your project however its capabilities may be limited.


CORS needs to be enabled by a subscription administrator
  1. Access the Setup screen by clicking the "hammer & wrench" icon in the toolbar
  2. Click Subscription
  3. Mouse over Actions
  4. Click "Edit Subscription..."
  5. Place a check next to "Enable Cross-Origin Resource Sharing (CORS)"

Place a check next to "Enable JSONP"