0

I'm building an extension and am having trouble with the workItemIcons api endpoint only on azure devops server, it works fine for azure devops services. The end point I'm hitting is http://...../DefaultCollection/_apis/wit/workItemIcons. I'm getting the following error when running the extension locally, but get the same kind of error even on the published version.

Access to fetch at 'http://...../DefaultCollection/_apis/wit/workItemIcons' from origin 'http://localhost:5500' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Extension scopes I think are fine

    "vso.graph",
    "vso.identity",
    "vso.project",
    "vso.profile",
    "vso.work_full",
    "vso.analytics",
    "vso.work"
  ],```

We're using the `azure-devops-extension-api` package.
Matthew The Terrible
  • 1,589
  • 5
  • 31
  • 53

1 Answers1

1

You can try the following ways:

  1. Add the Access-Control-Allow-Origin header to your response.

    For example:

    res.setHeader('Access-Control-Allow-Origin', '*');
    
  2. Bypass the CORS secure mechanism via setting mode as no-cors.

    For example:

    fetch('http://...../DefaultCollection/_apis/wit/workItemIcons', { mode: 'no-cors' });
    

To view more details, you can reference to the articles below:

Bright Ran-MSFT
  • 5,190
  • 1
  • 5
  • 12
  • Well we're using the azure-devops-extension-api package so we don't get the benefit of specifying the headers ourselves. Maybe I should consider just making that call myself and ignore the package. – Matthew The Terrible Dec 31 '20 at 04:59
  • Hi @MatthewTheTerrible, sure, you can try to call the API without using the azure-devops-extension-api package. Any progress, feel free to tell me. – Bright Ran-MSFT Dec 31 '20 at 09:15
  • I don't think that works because if you fetch with mode set to no-cors then the request won't send the authorization headers so I'll still get a unauthorized response here. – Matthew The Terrible Dec 31 '20 at 17:04
  • It looks like that api requires basic auth for devops server https://learn.microsoft.com/en-us/rest/api/azure/devops/wit/work%20item%20icons/list?view=azure-devops-server-rest-5.0. So its not going to work to call like this. – Matthew The Terrible Dec 31 '20 at 17:35
  • Hi @MatthewTheTerrible, I mean that you can try to directly call the REST API in your extension JavaScript code, instead of using the azure-devops-extension-api package. In this way, normally you can specify any headers you require for the API request in the JavaScript code, such as `Authorization`, `Media Types` or other headers. Here is an article as reference: https://rapidapi.com/blog/how-to-use-an-api-with-javascript/ – Bright Ran-MSFT Jan 01 '21 at 02:56