Hi Eric,

CORS only works when Indicium is running in Development mode. It has been changed a while back and the documentation does not reflect this. We will make sure the documentation will be changed.

Development mode should only be used to test and should not be used in Production. In Production, Indicium has to run on the same domain as the Universal GUI.

Hi Mark,

is it still the case that CORS only works in Development mode? The documentation regarding CORS doesn’t reflect this.

https://docs.thinkwisesoftware.com/docs/deployment/indicium#enable-cross-origin-resource-sharing-cors

Hi Bas,

This is still the case. CORS only works when Indicium runs in Development mode. It looks like our documentation is missing this part. We'll add it soon. 

Does this mean that you cannot offer the default API's to any outside party, like a partner or a client? How would be enable this?  I want an external party to generate a report through an API. Because it's not from the same domain it by default gets blocked right?

Hello Freddy,

This is not entirely true, I will try to explain why.

CORS is a mechanism that pokes holes in a browser’s Same Origin Policy (SOP) which states that resources cannot be shared between origins (between different domains). SOP is enforced client-side, it is a security mechanism that belongs to your browser and is not inherent to Indicium.

Because SOP is a browser measure, it is only relevant in scenarios that involve a browser. So all server-to-server requests will be fine. In addition to that, browsers tend to only apply SOP on web applications that are served by a web server and not on web applications that load their files from disk, because these don’t have an origin against which the requested resource’s origin can be validated. Because of this, many web applications that are wrapped to appear as desktop applications, for instance by means of Electron, will often not run into this issue either.

The main scenario that is blocked is website A loading resources from website B. In most of these cases, website A and website B are owned/hosted by the same party and can therefore be placed on the same domain. If not, then it can still be solved by having website A communicate with proxy A, which does server-to-server communication with website B.

In short, there are many scenarios in which CORS is not even relevant with regard to performing cross-domain requests and there where CORS could be used, you could simple use a proxy as well.

I hope this helps.

Thanks, makes sense.  Just don't really understand why my situation is not working like it should. 

Hello Freddy,

Perhaps we can help with that if you offer some more information. It’s probably best to dedicate a new topic to it, however.

There is a topic: 

 After som fiddling I get a 422 error in de UGUI and with Insomnia I get a 403 error..