Support Article
Cross-Origin Resource Sharing(CORS) errors using XMLHttpRequest
SA-18883
Summary
A CORS error regarding access control checks occurred when Pega REST service was accessed from JavaScript or JQuery of a different domain.
Error Messages
XMLHttpRequest cannot load http://10.0:9080/prweb/PRRestService/RetrieveWBCount/Services/RetrieveWBCount. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
Steps to Reproduce
1. Create REST Service.
2. Access from different domain.
Root Cause
A defect or configuration issue in the operating environment.
The issue is due to the CORS (XmlHttpRequest), which was sent from local file instead of a server.
Resolution
Here’s the explanation for the reported behavior:
As per CORS specifications –
A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which served itself. For example, an HTML page served from http://domain_a.com makes an image request for http://domain_b.com/image.jpg. Many pages on the web load resources such as CSS stylesheets, images, and scripts from separate domains.
CORS gives web servers cross-domain access controls, which enable secure cross-domain data transfers.
Modern browsers use CORS in an API container, such as XMLHttpRequest - to mitigate risks of cross-origin HTTP requests.
Note that the CORS communication and access must happen using http:// across the domains and since user tried invoking REST service using CORS using file:// (local file) and got this error.
Therefore, Pega recommends user to try this invocation from a page, which is hosted on a domain server instead of a local file path.
Published April 27, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.