$http REST error widget

saltemus · ‎02-27-2019

We are looking to call (from a ServiceNow portal page and an HTML button that calls Javascript) a different server that is not ServiceNow to call an internal 3rd party REST API (another server inside our company firewall) in our env. We would like to call it from our Portal Widget code that is fed up by our ServiceNow instance using Widgets and HTML button and Javascript. The end result we are trying to achieve is ro use an external REST API to validate text typed into our ServiceNow portal using another servers REST API (odd solution but necessary since that validation is based on data we do not have access to directly in ServiceNow Tables). To try and test this idea I placed the following code in the Widget Client..

Widget Client Script:

function($scope,$http) {
	/* widget controller */
	var c = this;
	c.testCall = function() {
		var req = {
			method: 'GET',
			url: 'https://ddd.ccc.eee.com/cgi-bin/xay.pl?value=aaa.bbb',
			headers: {
				'Access-Control-Allow-Origin' : '*',
				'Access-Control-Allow-Methods' : 'POST, GET, OPTIONS, PUT'
			}
		};
		$http(req)
			.then(function successCallback(response){
			$scope.response = response;
		}, function errorCallback(response){
			console.log("Unable to perform get request");
		});		
	};
}

Widget HTML Call:

 <button type="button" class="btn btn-primary btn-block" ng-click="c.testCall()">REST Call TEST Button</button>

However the REST call does not work when I click the button on the HTML code.. I get a security error:

"dcisp?id=sc_cat_item&sys_id=d853877ac5752300fa3820e94931f54b:1 Access to XMLHttpRequest at 'https://ddd.ccc.eee.com/cgi-bin/xay.pl?value=aaa.bbb' from origin 'http://xxx.yyy.ccc.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

Does anyone have a clue or another way to do what I am trying to do. Calling a 3rd party internal (to our network) REST Api from the browser and not from the server?

saltemus · ‎02-27-2019

Looks like we need to get the called server (ownerS) to add some header/config for security reasons allowing us to call it from Cross Requests...... This is very sad indeed since I doubt we can get the owner of this called server to change their stuff. Anyone have any other ideas? I suppose we could do a middleman server but I do not like that option since it adds over head and resources and our internal security team may flip a lid. another option is to use Server Side API and use GlideAjax which would call from the ServiceNow client side a ServiceNow server API then that would call the 3rd party API which sounds like a double hop and to add to this it would need to leverage Mid Servers to access the internal Server which sounds very ugly and I would think add significant time the the time it would take for a response so this idea does not sound good to me either.

Sumanth16 · ‎02-27-2019

Hi,

Can you refer to below link:

https://community.servicenow.com/community?id=community_question&sys_id=efffcba5dbdcdbc01dcaf3231f9619b5

Thanks,

Sumanth

saltemus · ‎02-27-2019

Hi, Thanks for the reply but I think this post you linked looks like it is for inbound cross requests and CORS. We are trying to access outbound (other people server) REST APIs from our ServiceNow widget code (Client Side). Did I misunderstand your link?

Thanks again for replying

Ujjwal2 · ‎04-28-2020

Hi Saltemus,

I am also facing the same issue, I am trying to call a third party API from service portal widget via JavaScript ajax call and getting the same error.

By any chance, was you able to fix it? If yes, Please share the solution.