CORS error and withCredentials

alex.anisov · August 22, 2023, 12:47pm

UI version ‘10.2.3’
Core version ‘10.2.3’
webviewer.min.js ‘10.2.3’

When I’m trying to load PDF into WebViewer, receiving such CORS issue.

Access to XMLHttpRequest at ‘https://devstoreaccount1..localhost.test//be0b3d49-8f1b-48d3-a7d0-b066009f6800/16f3bde4-3322-4cad-98e0-d1761fb97c0a/DA9871E032883537F8A2BF5772FA4EF5.pdf?sv=2021-10-04&st=2023-08-22T12%3A33%3A14Z&se=2023-08-29T12%3A33%3A14Z&sr=b&sp=r&sig=wOw3lHzoAP%2FWZM56np%2F93%2Fh%2BvoZ8EgIbLWK6ANu8sz4%3D’ (redirected from ‘https://.localhost.test/api/core/download?token=token_here’) from origin 'https://.localhost.test’ has been blocked by CORS policy: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Part of URI’s hidden because contain sensitive information.

CORS Allowed Origins set to * on the server, from where file downloaded, like it stated in error message.

I’ve tried to use withCredentials in next way:

WebViewer(
			{
				...configuration,
				disabledElements: ['menuButton', 'contextMenuPopup'],
				enableFilePicker: false,
				enableRedaction: false,
				enableAnnotations: false,
				isReadOnly: true,
			},
			viewer.current,
		).then((inst) => {
			instance.current = inst
			instance.current.Core.disableEmbeddedJavaScript()
			instance.current.UI.loadDocument(documentPath, {
				extension: reviewFile.extension,
				withCredentials: false,
			})
.....

but it does not help.

Changing CORS Allowed Origins on file server helps, but it is not the good case because of other reasons.

What is correct usage of withCredentials ??

Andy_Huang · August 23, 2023, 5:05pm

Hello,

This looks like you need to configure the CORS on your server to only accept certain trusted origins. In addition, you will need to have the Access-Control-Allow-Credentials header set to true to allow credentials.

On the client-side, the withCredentials option indicates the request includes credentials and will need to match the server’s CORS policy.

I would recommend consulting the documentation for your server or your server administrator on how to configure the CORS options for your server.

alex.anisov · August 25, 2023, 7:07am

No sure that is correct. A lot of requests before and after succeeded, only 1 fails with CORS error

Andy_Huang · August 28, 2023, 4:46pm

I see a second request for the file later on that seems successful. Are you able to compare the differences between the two requests?

alex.anisov · September 19, 2023, 3:07pm

Unfortunately Chrome does not allow to see details of CORS failed request

Andy_Huang · September 19, 2023, 6:10pm

I think we would need to know what that request is for. If you can’t see the details of the request, I can only suspect that the first request is the OPTIONS request to check whether range requests are available. Especially if it doesn’t impact file loading.