CORS rule doesn't work

tyler_durden_83
Kilo Explorer

‎03-13-2017 07:58 AM

Dear friends,

I've been trying all morning to get this working, but sadly I failed and I must ask for your help.

This is what I did:

  • create a javascript POST code using the Rest Api Explorer. It worked, so I copied it in my website (changing the proxy password of the generated code with the real one ofc)
  • create a CORS rule: REST -> CORS RULE

The Http Headers in particular I tried so many different combinations, but the result is always the same. On my js console I see an OPTIONS call being made (HTTP 200), with request:

  1. Accept:*/*
  2. Accept-Encoding:gzip, deflate, sdch, br
  3. Accept-Language:it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
  4. Access-Control-Request-Headers:authorization, content-type
  5. Access-Control-Request-Method:POST
  6. Cache-Control:no-cache
  7. Connection:keep-alive
  8. Host:dev27487.service-now.com
  9. Origin:http://xxxxxxx.compute.amazonaws.com:8080
  10. Pragma:no-cache
  11. Referer:http://xxxxxx.compute.amazonaws.com:8080/querier
  12. User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

And response:

  1. Content-Encoding:gzip
  2. Date:Mon, 13 Mar 2017 14:40:58 GMT
  3. Server:ServiceNow
  4. Set-Cookie:JSESSIONID=399D84D8357AE2C243C2C87037712647;Secure; Path=/; HttpOnly
  5. Set-Cookie:BIGipServerpool_dev27487=830505994.54334.0000; path=/
  6. Strict-Transport-Security:max-age=15768000; includeSubDomains;
  7. Transfer-Encoding:chunked
  8. Vary:Origin
  9. My understanding is that the response should have included the headers like Access-Control-Request-Headers, but it doesn't no matter what I do on the SN instance.
  10. What am I missing?
  11. I'm pretty much out of ideas or tries here 😞
  12. Thank you so much,
  13. Roberto

0 Helpfuls
  • 5,017 Views
3 REPLIES 3

Mwatkins
ServiceNow Employee
ServiceNow Employee

‎06-26-2017 09:52 PM

Here's what I get when doing a GET request against my demo instance from localhost.


Request Headers like this for the Options call:



    1. Request URL:https://...service-now.com/api/now/stats/incident?sysparm_query=active%3Dtrue&sysparm_count=true&sys...
    2. Request Method:OPTIONS
    3. Status Code:200 OK
    4. Remote Address:149.96.32.10:443
    5. Referrer Policy:no-referrer-when-downgrade
  1. And Response Headers like this:
    1. Access-Control-Allow-Credentials:true
    2. Access-Control-Allow-Headers:authorization,content-type
    3. Access-Control-Allow-Methods:GET,POST
    4. Access-Control-Allow-Origin:http://0.0.0.0:8000
    5. Access-Control-Max-Age:0


Followed by this for the actual GET request:


    2. Request URL:https://...service-now.com/api/now/stats/incident?sysparm_query=active%3Dtrue&sysparm_count=true&sys...
    3. Request Method:GET
    4. Status Code:200 OK
    5. Remote Address:149.96.32.10:443
    6. Referrer Policy:no-referrer-when-downgrade
  1. Response Headers
    1. Access-Control-Allow-Credentials:true
    2. Access-Control-Allow-Origin:http://0.0.0.0:8000
0 Helpfuls

anubhaw
Kilo Explorer
In response to Mwatkins

‎12-23-2017 02:25 AM

Hi Matthew,



Can you please share what you have put in your cors rule entry. I am trying to do a GET call on incident table and hitting similar issue.


0 Helpfuls

rako
Kilo Expert

‎07-19-2017 01:16 PM

I have a similar error. The CORS rule will allow you to customize the request header for an external service, but the response header must be set by the server that you are interacting with. Your AWS service needs to set the headers that you are looking for on the response, which is why you are not seeing Access-Control-Request-Headers. You can see a bit more here.



In terms of using the CORS rule, you need to set a comma-delimited list of headers, and they will be added to Access-Controler-Allow-Headers automatically. e.g.



Domain: *.domain.com


Http Headers: x-usertoken,content-type



will include "x-usertoken" and on the request headers to the specified domain (documentation). No need for trying to specify the domain in the headers list itself.




0 Helpfuls