Solved

Universal-GUI and Cors

  • 19 April 2021
  • 8 replies
  • 182 views
E
Rank
Badge +7

Dear Thinkwise,

Because the Universal-GUI uses the cache of the browser it is not allowed to have more than 1 webapplication of the universal-gui in 1 sub domain.

But I’m having now:

http://ericwebsite.acto.nl/acto-d-upgradetest-evo-indicium-universal

http://ericwebsite.acto.nl/acto-d-upgradetest-evo-indicium

http://ericwebsite.acto.nl/acto-d-upgradetest-evo-universal-gui

So I want to change our IIS structure to support this. What I want to do is creating the next structure:

http://ericwebsite.acto.nl/acto-d-upgradetest-evo-indicium-universal

http://ericwebsite.acto.nl/acto-d-upgradetest-evo-indicium

http://acto-d-upgradetest-evo-universal-gui.acto.nl

This structure needs to use the ‘CORS’ possibilities of IIS/Thinkwise

My questions is: do you support these new structure? And if so: how do I enable the CORS in this structure?

 

I have read about CORS and indicium and found the next instructions and I tried them on the appsettings.json of indicium-universal, but these doesn’t seem to work.

{

  "AllowedOrigins": [

    "https://ericwebsite.acto.nl”,

    "https://acto-d-upgradetest-evo-universal-gui.acto.nl"

  ]

}

icon

Best answer by Mark Jongeling 19 April 2021, 19:44

View original

8 replies

Mark Jongeling
Rank
Userlevel 7
Badge +23

Hi Eric,

CORS only works when Indicium is running in Development mode. It has been changed a while back and the documentation does not reflect this. We will make sure the documentation will be changed.

Development mode should only be used to test and should not be used in Production. In Production, Indicium has to run on the same domain as the Universal GUI.

"Wake me up before you low-code"
Bas
Rank
Userlevel 1
Badge +3

Hi Mark,

is it still the case that CORS only works in Development mode? The documentation regarding CORS doesn’t reflect this.

https://docs.thinkwisesoftware.com/docs/deployment/indicium#enable-cross-origin-resource-sharing-cors

Mark Jongeling
Rank
Userlevel 7
Badge +23

Hi Mark,

is it still the case that CORS only works in Development mode? The documentation regarding CORS doesn’t reflect this.

https://docs.thinkwisesoftware.com/docs/deployment/indicium#enable-cross-origin-resource-sharing-cors

Hi Bas,

This is still the case. CORS only works when Indicium runs in Development mode. It looks like our documentation is missing this part. We'll add it soon. 

"Wake me up before you low-code"
Freddy
Userlevel 5
Badge +16

Hi Mark,

is it still the case that CORS only works in Development mode? The documentation regarding CORS doesn’t reflect this.

https://docs.thinkwisesoftware.com/docs/deployment/indicium#enable-cross-origin-resource-sharing-cors

Hi Bas,

This is still the case. CORS only works when Indicium runs in Development mode. It looks like our documentation is missing this part. We'll add it soon. 

 

Does this mean that you cannot offer the default API's to any outside party, like a partner or a client? How would be enable this?  I want an external party to generate a report through an API. Because it's not from the same domain it by default gets blocked right?

LEF - The future favors the brave. [lef.tec.br]
V
Rank
Userlevel 6
Badge +4

Hello Freddy,

This is not entirely true, I will try to explain why.

CORS is a mechanism that pokes holes in a browser’s Same Origin Policy (SOP) which states that resources cannot be shared between origins (between different domains). SOP is enforced client-side, it is a security mechanism that belongs to your browser and is not inherent to Indicium.

Because SOP is a browser measure, it is only relevant in scenarios that involve a browser. So all server-to-server requests will be fine. In addition to that, browsers tend to only apply SOP on web applications that are served by a web server and not on web applications that load their files from disk, because these don’t have an origin against which the requested resource’s origin can be validated. Because of this, many web applications that are wrapped to appear as desktop applications, for instance by means of Electron, will often not run into this issue either.

The main scenario that is blocked is website A loading resources from website B. In most of these cases, website A and website B are owned/hosted by the same party and can therefore be placed on the same domain. If not, then it can still be solved by having website A communicate with proxy A, which does server-to-server communication with website B.

In short, there are many scenarios in which CORS is not even relevant with regard to performing cross-domain requests and there where CORS could be used, you could simple use a proxy as well.

I hope this helps.

Freddy
Userlevel 5
Badge +16

Hello Freddy,

This is not entirely true, I will try to explain why.

CORS is a mechanism that pokes holes in a browser’s Same Origin Policy (SOP) which states that resources cannot be shared between origins (between different domains). SOP is enforced client-side, it is a security mechanism that belongs to your browser and is not inherent to Indicium.

Because SOP is a browser measure, it is only relevant in scenarios that involve a browser. So all server-to-server requests will be fine. In addition to that, browsers tend to only apply SOP on web applications that are served by a web server and not on web applications that load their files from disk, because these don’t have an origin against which the requested resource’s origin can be validated. Because of this, many web applications that are wrapped to appear as desktop applications, for instance by means of Electron, will often not run into this issue either.

The main scenario that is blocked is website A loading resources from website B. In most of these cases, website A and website B are owned/hosted by the same party and can therefore be placed on the same domain. If not, then it can still be solved by having website A communicate with proxy A, which does server-to-server communication with website B.

In short, there are many scenarios in which CORS is not even relevant with regard to performing cross-domain requests and there where CORS could be used, you could simple use a proxy as well.

I hope this helps.

Thanks, makes sense.  Just don't really understand why my situation is not working like it should. 

LEF - The future favors the brave. [lef.tec.br]
V
Rank
Userlevel 6
Badge +4

Hello Freddy,

Perhaps we can help with that if you offer some more information. It’s probably best to dedicate a new topic to it, however.

Freddy
Userlevel 5
Badge +16

Hello Freddy,

Perhaps we can help with that if you offer some more information. It’s probably best to dedicate a new topic to it, however.

There is a topic: 

 After som fiddling I get a 422 error in de UGUI and with Insomnia I get a 403 error..   

LEF - The future favors the brave. [lef.tec.br]

Reply


Terms & ConditionsCookie settings