Cross Origin Resource Sharing (CORS) and creating a virtual service recording in DevTest
search cancel

Cross Origin Resource Sharing (CORS) and creating a virtual service recording in DevTest


Article ID: 14481


Updated On:


CA Application Test CA Continuous Application Insight (PathFinder)


When trying to do a VSE recording,  I find the recording is failing when the service access a resource from another server.  The error I am seeing from our client application during the recording is the following.

Request header field <fieldName> is not allowed by Access-Control-Allow-Headers in preflight response

Is the VSE Recorder able to record a service that uses CORS?


Component: ITKOVS


In most cases you are able to do the recording.  However,  you wont be able to do a gateway style recording.  Instead you will have to select the proxy recording setting to allow the additional interaction between services to work.  Some services using CORS,  you may need to register your VSE's recorder IP address with the system you are trying to record to avoid restrictions that could prevent CORS from working.

If you still have issues with trying to record a CORS based service by selecting the proxy recording setting, and registering the IP address of the recorder with your application,  then reach out to our support for further guidance.

Additional Information

In the VSM, ensure that your REST protocol DPH allows a URI rule of OPTIONS /<theuri>/<string> where <theuri>/<string> matches your needed URI. 

You will need one OPTIONS for each URI that needs to be "pre-flighted". This varies for example GET requests may not need to make the OPTIONS call.


In the VSI for each OPTIONS REST DPH rule, add a transaction to support the OPTIONS call

OPTIONS /<theuri>/<string>

Since there are no arguments, you might get away with setting the match style to Operation.



In the response META data, add the necessary headers that the Live System echos with the options that are available. 

For example,



 Accept, Accept-Language, Content-Type, Last-Event-Id, etc.

Also, you may need to remove headers that are not considered safe by your implementation.


Give this a try and report back on what you find out.  This will be helpful to others dealing with CORS issues.