XMLHttpRequest Headers

kurtbell1
Giga Expert

I am trying to send a Post request from ServiceNow to an external server.   I keep getting this CORS-related error: "Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

I dont know what else to do- I'm adding that header correctly below aren't I?   Please let me know what I'm missing.

var xmlhttp = new XMLHttpRequest();

xmlhttp.open('POST',[endpoint], true);

xmlhttp.setRequestHeader('Access-Control-Allow-Origin', '*');

xmlhttp.setRequestHeader('Content-Type', 'text/xml');

xmlhttp.onreadystatechange = function() {

        console.log('state change');

        console.log(xmlhttp.status);      

        if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {              

                  $scope.xmlDoc = xmlhttp.responseXML;      

        }

xmlhttp.send(xmlStr);

1 ACCEPTED SOLUTION

josh_nerius
ServiceNow Employee
ServiceNow Employee

Hi Kurt,



That message is actually referring to response headers from the server you're calling. The browser is looking for that response header to determine if it's allowed to make the call. You won't be able to set this from your XMLHttpRequest.



For security reasons, many sites/APIs prevent cross-origin requests. In order to call that endpoint, you'll have to configure something on the other server to allow the request. For more info about CORS, see HTTP access control (CORS) - HTTP | MDN.


View solution in original post

2 REPLIES 2

josh_nerius
ServiceNow Employee
ServiceNow Employee

Hi Kurt,



That message is actually referring to response headers from the server you're calling. The browser is looking for that response header to determine if it's allowed to make the call. You won't be able to set this from your XMLHttpRequest.



For security reasons, many sites/APIs prevent cross-origin requests. In order to call that endpoint, you'll have to configure something on the other server to allow the request. For more info about CORS, see HTTP access control (CORS) - HTTP | MDN.


Ahh - dumb question.   I should learn to read the response I copied and pasted first! Thanks for the answer