search cancel

Error : CORS xhr XMLHttpRequest blocked on WebAgent


Article ID: 197220


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



When running a Web Agent, one might like to know how to integrate it
to use the CORS headers as seen in Siteminder OIDC documentation
section (1).

The browser reports CORS error.

  CORS error xhr

  Access to XMLHttpRequest at
  from origin '' has been blocked by CORS
  policy: No 'Access-Control-Allow-Origin' header is present on the
  requested resource.




Web Agent 12.52SP1CR09 on Apache 2.4 on RedHat 6




At first glance, Web Agent doesn't support CORS header outside OIDC

The CORSConfiguration is implemented in CA Access Gateway (SPS) as
described for only OIDC journey (2).

An Idea has been submitted in the past (3), and it seems that you still
can configure the Web Server to handle these CORS headers (4).

In order to get this parameter to be added to Web Agent 12.52SP1, we
invite you to submit an Enhancement Request (Idea) :

  1. Go to the "All Ideas" page :
  2. Click on the "Add" button.
  3. In the "Select categories...", select "Layer7 Access Management".
  4. Write a title in the "title" box.
  5. Write a complete description of the Enahcement Request or
     Certification you'd like to post.
  6. Click on "Save" to get the Idea submitted !


Additional Information



    Cross-Origin Resource Sharing (CORS) Support for OIDC Endpoints

      Web browsers follow different security policies to mitigate
      security risks when they serve user requests. The same-origin
      policy is a commonly used policy that allows a browser on a
      domain to access only those resources that are available within
      the domain, that is, the browser can access only resources with
      the same origin. In some cases, the same-origin policy maybe
      restrictive when a user request requires different resources
      from different domains. For example, the same-origin policy
      forbids Single-Page Applications (SPAs) to access an OIDC
      Authorization Server that is present on another domain for OIDC


    CORS Configuration in Administrative UI

      SiteMinder supports CORS using a new ACO parameter named
      CORSConfiguration in SPSDefaultSettings ACO template. The default
      template with new ACO parameter is shipped with Policy Server

      Note: The feature is supported only with Release 12.8.03 or higher
      Policy Server and Access Gateway.


    Ability to add HSTS and CORS headers to .fcc pages

      Even if we use generic method to add HSTS headers to web pages
      from IIS8.5 server, we are unable to add HSTS headers to .fcc

      Now on IIS 10.0 adding the global header is now working - so maybe
      there is some change in that area.

      With the release of IIS 10.0 version 1709, HSTS is now supported natively.

        With the release of IIS 10.0 version 1709, HSTS is now supported


    CORS on CA SPS Federation Gateway

      This fixed the CORS ISSUE:

      Header always set Access-Control-Allow-Origin: *
      Header always set Access-Control-Allow-Method: "POST, GET, OPTIONS, DELETE, PUT"
      Header always set Access-Control-Max-Age "1000"
      Header always set Access-Control-Allow-Headers: "x-requested-with, Content-Type, origin, authorization, accept, SMCHALLENGE"