Access to XMLHttpRequest at due to CORS in complex server situation

Question

I've got two servers, both of which I control. One is a thingworx server that talks to the other, a windchill server, and displays my web page. I've got a thingworx mashup that talks to the windchill server. It pulls images and pdf from the windchill server and allows the operator of the mashup to alter the image or pdf then put it back on the server. I tackled the CORS problem presented when pulling images from the server but now I'm getting CORS errors when POSTing to the server.

I tried putting the CORS filter on the thingworx server but no joy. I had to tell the script to pull the images as crossorigin, so I'm thinking there's some proper way to ask for a crossorigin POST too.

$.ajax({
    method: 'POST',
    url: urlString,
    enctype: 'multipart/form-data',
    processData: false,
    cache: false,
    contentType: false,
    processData: false,
    type: 'POST', 
    data: fd
    //crossOrigin: true
}).done(function(data) {
    console.log('success', data) 
});

Works great with CORS checking turned off in chrome.

your server needs to send CORS headers - `Access-Control-Allow-Host` etc to allow CORS access. Your server *may* also need to respond to OPTIONS request method, depending on the request, the browser may send the OPTIONS pre-flight request — Jaromanda X, Jul 22 '19 at 21:11
Please add exactly what CORS error you are getting in that case - because the code you presented looks at face value to be fine, as long as CORS headers are being sent by the server (your code won't even trigger pre-flight either) - edit: maybe it will trigger pre-flight, but jquery documentation is vague at best about what you are doing — Jaromanda X, Jul 23 '19 at 02:25
what is `enctype: 'multipart/form-data',` ? shouldn't that be `contentType: 'multipart/form-data',` - there's absolutely nothing in jquery documentation that even mentions `enctype` argument, looks made up — Jaromanda X, Jul 23 '19 at 02:32
changing 'enctype' to 'contentType' neither helped nor hurt. `Access to XMLHttpRequest at 'https://www.serverB.com/createObject.xml?paramName=2019-07-23T14:29:06.569Z' from origin 'https://www.serverA.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Combined.version.js:634 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.serverB.com/createObject.xml?paramName=2019-07-23T14:29:06.569Z with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.` — Supasamurai, Jul 23 '19 at 14:40
@JaromandaX I can't find anything that talks specifically about 'Access-Control-Allow-Host', where do I find info about that? I see stuff like `Access-Control-Allow-[methods, credentials, headers, origin]` but no host. [checking here](https://www.w3.org/TR/cors/) — Supasamurai, Jul 23 '19 at 17:21
sorry, I meant `-Origin`, not `-Host` - at least it shows you've done some searching :p — Jaromanda X, Jul 23 '19 at 21:26
If anyone is wondering what I did: I put my file on serverA and then triggered a script on serverB to come and get it. So I just ended up doing a totally different thing. — Supasamurai, Jul 28 '19 at 04:54

Fitz09 · Answer 1 · 2020-10-16T12:55:17.650

For current versions of Windchill you can configure CORS as per the following PTC Article: https://support.ptc.com/help/wnc/r12.0.0.0/en/#page/Windchill_Help_Center%2FFileVaultConfigWCforCORS.html%23

This requires CORS filters to be set in the Tomcat config of Windchill.

It seems that you are trying to move content from or to the Windchill server, hence I believe the article above should be applicable in this use case.

Summary of steps:

Configure CORS filters to allow cross-origin http requests using the following procedure. This configuration is applicable to Windchill master and file server sites.

Navigate to <Windchill_Home>\codebase\WEB-INF\web.xml.
Update web.xml file with the following ContentCorsFilter and ContentHttpHeaderSecurityFilter along with Mapping configurations:

<filter>
    <filter-name>ContentCorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>[ALLOWED_ORIGINS]</param-value>
    </init-param>
    <init-param>
        <param-name>cors.support.credentials</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,OPTIONS</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Content-Type,X-Requested-With</param-value>
    </init-param>
</filter>
<filter>
    <filter-name>ContentHttpHeaderSecurityFilter</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingUri</param-name>
        <param-value>[ALLOWED_ORIGINS]</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>ContentCorsFilter</filter-name>
    <url-pattern>/servlet/WindchillAuthGW/wt.content.ContentHttp/viewContent/*</url-pattern>
    <url-pattern>/servlet/WindchillAuthGW/wt.fv.master.StandardMasterService/doDirectDownload/*</url-pattern>
    <url-pattern>/servlet/WindchillAuthGW/wt.fv.replica.StandardReplicaService/doDownload/*</url-pattern>
    <url-pattern>/servlet/WindchillAuthGW/wt.fv.replica.StandardReplicaService/doIndirectDownload/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>ContentHttpHeaderSecurityFilter</filter-name>
    <url-pattern>/servlet/WindchillAuthGW/wt.content.ContentHttp/viewContent/*</url-pattern>
    <url-pattern>/servlet/WindchillAuthGW/wt.fv.master.StandardMasterService/doDirectDownload/*</url-pattern>
    <url-pattern>/servlet/WindchillAuthGW/wt.fv.replica.StandardReplicaService/doDownload/*</url-pattern>
    <url-pattern>/servlet/WindchillAuthGW/wt.fv.replica.StandardReplicaService/doIndirectDownload/*</url-pattern>
</filter-mapping>

Update the cors.allowed.origin and antiClickJackingUri parameter with the desired web address(es) using comma separated list. Do not use asterisk (*) since cors.support.credentials is required to true.

Save the web.xml file.
Restart the Windchill server.

Please always use the latest PTC Tech Support and Help Articles for most current and up to date information as these steps may change.

Access to XMLHttpRequest at due to CORS in complex server situation

1 Answers1