I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.
I've already set Parameter HandleCorsRequest = 1; on the spec class and All the endpoints I am have (a mix of GET, POST, PATCH and DELETE) are working from postman without issue, the problem is when consuming from the web front-end and the preflight checks the browser instigates. Most of the endpoints work in the browser, but some are triggering the preflight (OPTIONS) check causing the CORS issue.
This is what I am seeing in the browser:-
Access to XMLHttpRequest at 'endpoint/url' from origin 'website/url' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is what I see in the Web Gateway HTTP Trace:-
Show Response
OPTIONS myroute HTTP/1.1
Host: myhost
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization,content-type
Origin: myorigin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Referer: myorigin
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
X-Dynatrace-Application: appname
X-Dynatrace-Origin-Url: myurl
X-Dynatrace-Requeststate: agentId=agentid
X-Dynatrace: longstring
Traceparent: 00-e5bd3bc715eb3be6268511f915fe7d9b-ea15bf233d8a175b-01
Tracestate: f987396-b7c395b8@dt=fw4;7;572083a4;be20;a;0;0;2ab;0c92;2h01;3h572083a4;4hbe20;5h01;7hea15bf233d8a175b
X-Ruxit-Apache-Servernameports: serverurl
Show Request
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Thu, 24 Oct 2024 11:40:13 GMT
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Pragma: no-cache
Content-Length: 0
I've tried overriding the OnHandleCorsRequest in the disp class, but I don't think it is even getting there.
Any help much appreciated.
Thanks
Colin