Cross Origin Resource Sharing (CORS) and creating a virtual service recording in DevTest

book

Article ID: 14481

calendar_today

Updated On:

Products

CA Application Test CA Continuous Application Insight (PathFinder)

Issue/Introduction



When trying to do a VSE recording,  I find the recording is failing when the service access a resource from another server.  The error I am seeing from our client application during the recording is the following.

Request header field <fieldName> is not allowed by Access-Control-Allow-Headers in preflight response

Is the VSE Recorder able to record a service that uses CORS?

Environment

Release:
Component: ITKOVS

Resolution

In most cases you are able to do the recording.  However,  you wont be able to do a gateway style recording.  Instead you will have to select the proxy recording setting to allow the additional interaction between services to work.  Some services using CORS,  you may need to register your VSE's recorder IP address with the system you are trying to record to avoid restrictions that could prevent CORS from working.

If you still have issues with trying to record a CORS based service by selecting the proxy recording setting, and registering the IP address of the recorder with your application,  then reach out to our support for further guidance.

Additional Information

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=787076

In the VSM, ensure that your REST protocol DPH allows a URI rule of OPTIONS /<theuri>/<string> where <theuri>/<string> matches your needed URI. 

You will need one OPTIONS for each URI that needs to be "pre-flighted". This varies for example GET requests may not need to make the OPTIONS call.

 

In the VSI for each OPTIONS REST DPH rule, add a transaction to support the OPTIONS call

OPTIONS /<theuri>/<string>

Since there are no arguments, you might get away with setting the match style to Operation.

 

 

In the response META data, add the necessary headers that the Live System echos with the options that are available. 

For example,

Allow=OPTIONS,POST,GET

Access-Control-Allow-Origin=*

 Accept, Accept-Language, Content-Type, Last-Event-Id, etc.

Also, you may need to remove headers that are not considered safe by your implementation.

 

Give this a try and report back on what you find out.  This will be helpful to others dealing with CORS issues.