Error : CORS xhr XMLHttpRequest blocked on WebAgent

book

Article ID: 197220

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Web Agent, one might like to know how to integrate it
to use the CORS headers as seen in Siteminder OIDC documentation
section (1).

The browser reports CORS error.

  http://myserver.mydomain.com/mysdweb/myapp/rest/1?timestamp/1?myVariable=1620654243697&mySession=41141

  CORS error xhr

  Access to XMLHttpRequest at

    http://myserver.mydomain.com/mysdweb/myapp/rest/1?timestamp/1?myVariable=1620654243697&mySession=41141
  
  from origin 'http://myserver.mydomain.com' has been blocked by CORS
  policy: No 'Access-Control-Allow-Origin' header is present on the
  requested resource.

 

Environment

 

Web Agent 12.52SP1CR09 on Apache 2.4 on RedHat 6

 

Resolution

 

At first glance, Web Agent doesn't support CORS header outside OIDC
journey.

The CORSConfiguration is implemented in CA Access Gateway (SPS) as
described for only OIDC journey (2).

An Idea has been submitted in the past (3), and it seems that you still
can configure the Web Server to handle these CORS headers (4).

In order to get this parameter to be added to Web Agent 12.52SP1, we
invite you to submit an Enhancement Request (Idea) :

  1. Go to the "All Ideas" page :
     https://community.broadcom.com/ideation/allideas
  2. Click on the "Add" button.
  3. In the "Select categories...", select "Layer7 Access Management".
  4. Write a title in the "title" box.
  5. Write a complete description of the Enahcement Request or
     Certification you'd like to post.
  6. Click on "Save" to get the Idea submitted !

 

Additional Information

 

(1)

    Cross-Origin Resource Sharing (CORS) Support for OIDC Endpoints

      Web browsers follow different security policies to mitigate
      security risks when they serve user requests. The same-origin
      policy is a commonly used policy that allows a browser on a
      domain to access only those resources that are available within
      the domain, that is, the browser can access only resources with
      the same origin. In some cases, the same-origin policy maybe
      restrictive when a user request requires different resources
      from different domains. For example, the same-origin policy
      forbids Single-Page Applications (SPAs) to access an OIDC
      Authorization Server that is present on another domain for OIDC
      requests.
    
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/cross-origin-resource-sharing-cors-support-for-oidc-endpoints.html

(2)

    CORS Configuration in Administrative UI

      SiteMinder supports CORS using a new ACO parameter named
      CORSConfiguration in SPSDefaultSettings ACO template. The default
      template with new ACO parameter is shipped with Policy Server
      12.8.03.

      Note: The feature is supported only with Release 12.8.03 or higher
      Policy Server and Access Gateway.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/cross-origin-resource-sharing-cors-support-for-oidc-endpoints.html
      

(3)

    Ability to add HSTS and CORS headers to .fcc pages

      Even if we use generic method to add HSTS headers to web pages
      from IIS8.5 server, we are unable to add HSTS headers to .fcc
      pages.

      Now on IIS 10.0 adding the global header is now working - so maybe
      there is some change in that area.

      With the release of IIS 10.0 version 1709, HSTS is now supported natively.

        With the release of IIS 10.0 version 1709, HSTS is now supported
        natively.

      https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts#iis-100-version-1709-native-hsts-support

    https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=9188ae6b-a8ed-43f5-b7a6-6f647c9a8616


    
(4)

    CORS on CA SPS Federation Gateway

      This fixed the CORS ISSUE:

      Header always set Access-Control-Allow-Origin: *
      Header always set Access-Control-Allow-Method: "POST, GET, OPTIONS, DELETE, PUT"
      Header always set Access-Control-Max-Age "1000"
      Header always set Access-Control-Allow-Headers: "x-requested-with, Content-Type, origin, authorization, accept, SMCHALLENGE"

    https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=d03113c4-4ae7-4799-96ce-00741b574545&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer#bmd03113c4-4ae7-4799-96ce-00741b574545