Does Extensibility configuration access-origin affect XMLHttpRequest calls

I'm trying to make an XmlHttpRequest call from a JS node in a mobile app. I need the request to come from the mobile, because the service I'm integrating with requires the mobile to make the request directly, and not through the outsystems server.

When I make a request though, I get an error in the console

Access to XMLHttpRequest at 'https://their.blah.com' from origin 'https://my-blah.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The documentation https://success.outsystems.com/Documentation/11/Delivering_Mobile_Apps/Customize_Your_Mobile_App/Extensibility_Configurations_JSON_Schema suggests that adding the "access" key to the extensibility config would allow access cross-origin requests, but it doesn't seem to be working even if I add origin:"*".


Hi Jonathan,

This means the service you are trying to integrate with does not have the Access-Control-Allow-Origin header which prevents your Javascript node on your Mobile App from accessing it.

One way around this it, is by using an existing CORS-proxy like cors-anywhere that adds CORS-headers to the request or you could build your own proxy. 

This artice explains a whole lot around this topic and provides different solutions around this error.

Hope this helps.

Regards,

Nordin

Hi Nordin,

Yes, the service did not have the CORS headers. 

The option to proxy through the outsystems server, or anywhere else is a no-go, since the transaction had to be from the mobile only, as this is a OAuth app, and these tokens are not supposed to be passed through a middleman.

After more tests, it does seem like the extensibility config whitelist only affects the webview, and not XHR.

In the end, we convinced the API provider to add CORS headers. 


regards,

Jonathan

Hi Jonathan,

I’m glad you were able to resolve the issue. 

Thanks for getting back at us with this useful information. I’m sure it would help others who come across the same issue.

Regards,

Nordin