I am developing right now some dashboards that connect to epicor 10. We are a Multi-tenant SaaS customer, so we had to go over a lot to figure out how to connect to the ReST API. I got it running with some Ajax and Javascript. It looks pretty neat, still a lot of work to do.
I didi it in pilot and chrome and no problems. But whenever I changed it to production environment I got a message about not CORS in chrome. Anyone can provide some help on that? Could it be the IIS?
Instead of * you should narrow it down to specific domains that you want to allow.
Maybe someone already did it in Pilot? Or is the App you rare hosting in the same server as pilot?
No, the “website/app” I am coding is in local, I am just using ajax to bring data from out server. Like I mentioned we are a cloud based EPICOR customer, we are a multi-tenant environment.
So that is why I find interesting how come in pilot I am not getting that error message, no one else has done this before here.
So in domains would I put the EPICOR server? or the local IP address from the machine I am running?
you would need to put exact schema domain and port you are connecting from.
If your script is running on your local machine like http://localhost:8080, you would need to put this in CorsOrigin.
But if * is used, then it should work for any address.
Okay, so it would be better to only allow a specific domain to do that. Thanks for that clarification. Now where would I put that code? where would I find the web.config file?
So if you are in multi-tenant or dedicated tenant saas then you don’t actually control the cors origins setting or the web.config file - we do. So I recommend you reach out to the SaaS Ops team about it via epicor support.
BTW I know for a fact that we’re allowing open cors as a standard part of SaaS configuration rather than whitelisting each consumer because sadly cors doesn’t actually support a discrete whitelist of domains. You can specify * for all or one specific domain and that’s it.
Jose is right that there are some security implications to open cors (eg. a website hosted anywhere is allowed to try to call epicor saas rest services), but they’re fairly minor for us because our apis require authentication. So long as you are careful with the epicor auth token you get (like don’t store it in a cookie that any website can read, just your own) then you’re fine.
Failed to load https://XXXXX Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://XXX’ is therefore not allowed access. The response had HTTP status code 401.
I’ve been having a different CORS issue while calling the REST api. I’m getting a 403 error when making REST calls, with an error message of “Response for preflight does not have HTTP ok status.” To try and get by this error I added the line Jose gave up above and I’ve added this to the web.config:
The code you added is not necessary for REST.
The only thing you should have in web.config is <add key="CorsOrigins" value="*" /> in appSettings section.