CORS against BCS-462 APIs

Get help and insight.
Post Reply
odd13ryan
Posts: 6
Joined: Mon Nov 28, 2016 4:29 pm
Bot?: No

CORS against BCS-462 APIs

Post by odd13ryan »

The HTTP endpoints for the BCS 462 running firmware 4.0 don't seem to return CORS headers, so my browser won't allow AJAX requests to them. This post seems to suggest they are supported in 4.0. Any suggestions?

http://forum.embeddedcc.com/viewtopic.php?f=11&t=2730
brahn
Posts: 543
Joined: Thu Dec 13, 2012 11:01 am
Bot?: No

Re: CORS against BCS-462 APIs

Post by brahn »

The BCS will return CORS headers (Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers) if Origin is present in the request headers. The utilities all work because of CORS support.
odd13ryan
Posts: 6
Joined: Mon Nov 28, 2016 4:29 pm
Bot?: No

Re: CORS against BCS-462 APIs

Post by odd13ryan »

Thanks for the super prompt response. I'll try that tonight.
odd13ryan
Posts: 6
Joined: Mon Nov 28, 2016 4:29 pm
Bot?: No

Re: CORS against BCS-462 APIs

Post by odd13ryan »

Yeah, so here's what I've learned this evening in case anyone is interested. The browser sets the "Origin" header automatically. I was using jQuery code that looked like this:

Code: Select all

<script type="text/javascript">
    var username = 'theuser';
    var password = 'thepass';
    $(document).ready(function () {
        $.ajax({
            url: "http://hostname/api/poll",
            type: "GET",
            contentType: "application/json",
            dataType: "json",
            statusCode: {
                200: function(data) {
                    console.log(data);
                }
            },
            crossDomain: true
        });
    });
</script>
It initially sends a pre-flight OPTIONS request when a CORS ajax request is sent. The OPTIONS request would respond with 200, then the browser will follow up with a POST or GET to the same url depending on what request you are making. Because our BCS has a password set, the follow-up POST or GET would respond with a 401 because the second request had no headers set. This is where it got confusing for me. Because the follow up request had no authentication info, the BCS would respond with a 401. That caused Chrome to log an error to the javascript console indicating that the CORS headers were not set correctly. The specific error was this:

Code: Select all

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://whatever' is therefore not allowed access. The response had HTTP status code 401
The real problem was the lack of authorization. My suspicion is that in a CORS scenario, the browser interprets any type of 401 as missing CORS headers, even if that's not actually the case. Adding this to the request options solved the problem:

Code: Select all

            headers: {
                "Authorization": "Basic " + btoa(username + ":" + password)
            },
This is interesting to note, and it made debugging painful: I could navigate to the BCS manually and after authenticating, and after that I could hit the URL in question without going through the BCS UI or reauthenticating. It was only by looking at the request headers from the ajax requests that I figured this out.
brahn
Posts: 543
Joined: Thu Dec 13, 2012 11:01 am
Bot?: No

Re: CORS against BCS-462 APIs

Post by brahn »

Yes, the authentication can be a little tricky with the device and CORS. You can also use our BCS Promise library for the BCS communication instead of raw jQuery as another option.
Post Reply