SA-18883

Summary

A CORS error regarding access control checks occurred when Pega REST service was accessed from JavaScript or JQuery of a different domain.

Error Messages

XMLHttpRequest cannot load http://10.0:9080/prweb/PRRestService/RetrieveWBCount/Services/RetrieveWBCount. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Steps to Reproduce

1. Create REST Service.
2. Access from different domain.

Root Cause

A defect or configuration issue in the operating environment.
The issue is due to the CORS (XmlHttpRequest), which was sent from local file instead of a server.

Resolution

Here’s the explanation for the reported behavior:

As per CORS specifications – 
A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which served itself. For example, an HTML page served from http://domain_a.com makes an image request for http://domain_b.com/image.jpg. Many pages on the web load resources such as CSS stylesheets, images, and scripts from separate domains.

CORS gives web servers cross-domain access controls, which enable secure cross-domain data transfers.
Modern browsers use CORS in an API container, such as XMLHttpRequest - to mitigate risks of cross-origin HTTP requests.

Note that the CORS communication and access must happen using http:// across the domains and since user tried invoking REST service using CORS using file:// (local file) and got this error.
Therefore, Pega recommends user to try this invocation from a page, which is hosted on a domain server instead of a local file path.