CORS in custom webservice in CRM Script

PARTNER Dennis Mortensgaard

Hi everybody

 

I'm making an integration from a website to a custom "webservice" in crm script

I'm getting a CORS error though, so i was wondering how i can get around that since i don't want to register an application in online, since this is only a crm script - as far as i know i cannot control the headers?

Access to XMLHttpRequest at 'https://online.superoffice.com/CustXXXXX/CS/scripts/blogic.fcgi?_sf=4&action=doScript&id=161&type=5&term=test' from origin 'https://mywebsite.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Let me know how i should proceed :)

 

Thanks

STAFF /en/My-Page/6621/

RE: CORS in custom webservice in CRM Script

Could you use the addHeader() method for the HTTP class?

By: Hans Wilhelmsen 21 Aug 2019
PARTNER /en/My-Page/11648/

RE: CORS in custom webservice in CRM Script

Isn't that only for outgoing headers?

 

I'm trying to fetch data from SuperOffice - so i don't think that'll work?

By: Dennis Mortensgaard 21 Aug 2019
STAFF /en/My-Page/6621/

RE: CORS in custom webservice in CRM Script

Ah!

Good point. 

Check out this blog by Frode Lillerud.

https://community.superoffice.com/en/developer/blog/building-custom-rest-api-methods-using-crmscript/

By: Hans Wilhelmsen 21 Aug 2019
STAFF /en/My-Page/5703/

RE: CORS in custom webservice in CRM Script

CORS headers are something the server side must send, and then the client will look at them (using a client/browser that supports this, but most modern clients/browsers does).

In your case, SuperOffice Service is the server (your CRMScript). 

So you could try adding CORS headers to allow your client to call online.superoffice.com

A problem you could run into is Pre.flights. A Pre-flight request is sent before the actual request. It normally does not happen on GETS (which seems like what you are calling), but are called on POSTs and some of the other HTTP verbs.

You can read more about CORS here: https://www.codecademy.com/articles/what-is-cors

By: Stian Andre Olsen 21 Aug 2019
PARTNER /en/My-Page/5028/

RE: CORS in custom webservice in CRM Script

Hi, you need to add the CORS related headers. Using the lib-http class there is a AddHttpHeader method you can use. Adding Access-Control-Allow-Origin is probably enough.

By: Frode Lillerud 21 Aug 2019
PARTNER /en/My-Page/11648/

RE: CORS in custom webservice in CRM Script

Hi Stian, with regard to pre-flights - how do i get around that? I can see that a pre-flight request typically is a OPTIONS request send before the actual POST request. I guess i should be able to only return the http cors headers when receiving the options command, and not execute the whole script - so the question is, how do i distinguish between which HTTP verbs that are used to call the URL in order to detect that a pre-flight check is carried out by the client, and not the actual POST method?

By: Dennis Mortensgaard 21 May 2020
STAFF /en/My-Page/4973/

RE: CORS in custom webservice in CRM Script

We should probably implement this properly, with routes and verbs and CORS support, rather than trying to hack everything together in a script.

You need to add CORS Origin header with a your host name, or a * to allow any webpage to call your script.

 

Access-Control-Allow-Origin: *

 

By: Christian Mogensen 22 May 2020
PARTNER /en/My-Page/11648/

RE: CORS in custom webservice in CRM Script

To resurrect an old topic that seems to still haunt me once in a while;

As mentioned earlier, a pre-flight request uses the OPTIONS method, but that does not seem to be allowed by the IIS hosting SO Online? I can see my "Access-Control-Allow-Origin" header if i'm making a POST or GET request, but OPTIONS returns 405 method not allowed...

I just discovered that in Postman - here i'm requesting the script with a POST or a GET:

as you can see, "Access-Control-Allow-Origin" is present here as i've specified it in the script.

But when i'm requesting the script with OPTIONS to simulate a pre-flight request, look what happens:

So the OPTIONS verb is simply not allowed when calling CRM Scripts?

This is the script i tested with:

%EJSCRIPT_START%
<% 
#setLanguageLevel 3; 
//Set HTTP headers
Map _headers;
_headers.insert("Content-Type", "application/json;charset=utf-8"); 
_headers.insert("Access-Control-Allow-Methods","POST,OPTIONS,GET");
_headers.insert("Access-Control-Allow-Origin","https://online.businessanalyze.com"); 
String posted = getCgiContent();
JSONBuilder jb;
if(posted != ''){ 
try{
     jb.pushObject('');
     jb.popLevel();
}
catch{
    jb.pushObject('');
    jb.addString('Status', 'Error');
    jb.addString('Error', error); 
    jb.popLevel();
}
jb.popLevel();
_headers.insert("Status", "200 OK");
}else{
  jb.pushObject('');
   jb.addString('Status', 'Error');
   jb.addString('Error', 'No input!'); 
  jb.popLevel();
  _headers.insert("Status", "400 NOT FOUND");
}
String h;
for (_headers.first(); !_headers.eof(); _headers.next())
h += _headers.getKey() + ": " + _headers.getVal() + "\n";

setParserVariable("ej.headers", h);
printLine(jb.getString());
%>
%EJSCRIPT_END%

Called via:

https://online2.superoffice.com/CustXXXXX/CS/scripts/customer.fcgi?action=safeParse&includeId=XXX&key=XXX

By: Dennis Mortensgaard 8 Jan 2021
STAFF /en/My-Page/5821/

RE: CORS in custom webservice in CRM Script

Can't read what's in the images... please optimize.

By: Tony Yates 8 Jan 2021
PARTNER /en/My-Page/11648/

RE: CORS in custom webservice in CRM Script

@Tony: Hope that's better :)

By: Dennis Mortensgaard 8 Jan 2021