To enable CORS(cross origion resoure sharing) in TorchServe, I am using the following settings in the config.properties. Can you please have a look and let me know if I am using the right settings/syntax. My torchserve settings need to return header reponse as *"Access-Control-Allow-Origin: "
Note: not using a custom header
cors_allowed_origin=*
cors_allowed_methods=GET, POST, PUT, OPTIONS
Reference: https://pytorch.org/serve/configuration.html#configure-cross-origin-resource-sharing-cors
Related
all.
I am thinking about a issue using pdfTron SDK(an SDK help load pdf) in my application. This SDK is able to load local pdf files, working like a charm. I decide to load an online pdf file in my web application, using pdfTron SDK, e.g. 'https://cdn.mendix.tencent-cloud.com/documentation/developerportal/tencent-deploy.pdf'. This file is accessible in browser, directly, but when I use scripts, like:
instance.UI.loadDocument('https://cdn.mendix.tencent-cloud.com/documentation/developerportal/tencent-deploy.pdf');
};
I directly got an error when running the application, which shows
Request URL: https://cdn.mendix.tencent-cloud.com/documentation/developerportal/tencent-deploy.pdf
Request Method: HEAD
Status Code: 403
Referrer Policy: strict-origin-when-cross-origin
I think this is a CORS issue. But I cannot understand why I can use browser getting this file, while scripts does not. How can I resolve this? Thanks
I would suggest to read the documentation on pdfTron concerning "webview" and "loadDocment".
WebView is used to get the pdf you want to use from any source(file or web), in your case, you need to use "initialDoc" property, that is where you would place "cdn.mendix.tencent-cloud.com/documentation/developerportal/…".
Then "instance.UI.loadDocument" is used to identify the html element where you want to place the fetched document.
Sample
API Docs
I also try a CORS config in my document server(nginx), like this:
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
This works now. But It seems that if the document server is not yours, you cannot do this. Hope this help!
I've hosted to IIS in Azure a WCF. I need to do a post CORS client side (I'm using dojo js).
I expect this scenario
POST REQUEST -> OPTIONS PRE-FLIGHT -> POST RESPONSE
but if I see the chrome dev tools network I get:
POST Request -> OPTIONS PRE-FLIGHT -> AUTOMATICALLY GET REQUEST -> METHOD NOT ALLOWED (my WCF method only accept POST method)
There also a strange thing, if i see the GET response, it has status code 302 found and in the response header LOCATION : /rest/(X(1)S(xnrhdgei0ecua5s550yxqiv1))/login/ but I don't know what (X(1)S(xnrhdgei0ecua5s550yxqiv1)) is.
How can I solve this problem?
Thank you!
I solved adding <sessionState mode="InProc" cookieless="false"/> into the web.config. See my previous comment for additional details
While testing the API definition of my Azure Function (within the portal) I get this CORS error:
This is a cross-origin call. Make sure the server at ***.azurewebsites.net accepts POST requests from functions.azure.com. Learn more
I verified that this is listed as a CORS allowed origin within the function settings:
https://functions.azure.com
Am I missing something?
I cannot reproduce this on my side.
I added the following to ALLOWED ORIGINS:
The output in the Azure portal:
I also test it by making a POST request to the function in the browser via jQuery:
If you want us to dive into this problem you may need to provide detailed steps to reproduce.
The problem turned out to be the API definition. CORS was working fine although that was indicated as the problem in the error messages. The missing piece in the API definition was
security: []
which was missing in the POST section. I guess the security entry is required even if it's empty. It would've been nice if there was a warning that this was missing.
Everthing has been work absolutely fine - until I upgraded to a later version of ServiceStack recently - I'm now on version 4.0.35.0
Public Overrides Sub Configure(container As Funq.Container)
Dim appSettings = New AppSettings() 'Gets settings from web.config
...
Plugins.Add(New CorsFeature(allowOriginWhitelist:={"http://localhost:8888", "http://site1.abc.com", "http://site2.abc.com", "http://site3.abc.com"}, allowedMethods:="GET, POST, PUT, DELETE, OPTIONS", allowedHeaders:="Content-Type, Authorization", allowCredentials:=True))
End Sub
Error being received is:
XMLHttpRequest cannot load https://site1.abc.com/auth/credentials.
The 'Access-Control-Allow-Origin' header contains multiple values 'http://site1.abc.com, http://site1.abc.com',
but only one is allowed. Origin 'http://site1.abc.com' is therefore not allowed access.
The call is being made from site1.abc.com and interestingly its saying that its in their twice - but it definately isnt.
Any clues as to what's going on
I do need multiple sites calling an API on a single endpoint with credentials.
Thanks
Terry
This issue should now be resolved with the v4.0.36 Release of ServiceStack that's now available on NuGet.
I'm trying to get CORS working on my trigger.io app:
I've got the following setup in my .htaccess
Header set Access-Control-Allow-Headers: "Accept,Origin,Content-Type,X-Requested-With"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE,OPTIONS"
Header set Access-Control-Allow-Credentials: "true"
Header set Access-Control-Allow-Origin "http://localhost:3000,content://io.trigger.forge99d5a0b8621e11e28cc2123139286d0c"
Running the trigger App in the web (localhost:3000) works fine.
But when I deploy it to an (android) device I see the following error in the debug output:
[ERROR] XMLHttpRequest cannot load {link}http://mydevtest.lan/api/auth/currentuser.{/link} Origin content://io.trigger.forge99d5a0b8621e11e28cc2123139286d0c is not allowed by Access-Control-Allow-Origin. -- From line 1 of null
I'm fearing that setting content:// in the Access-Control-Allow-Origin header is not legal.
The Access-Control-Allow-Origin header as you have it is invalid. Valid values are either '*', or a space separated list of origins. One of the following should work:
Header set Access-Control-Allow-Origin "*"
or
Header set Access-Control-Allow-Origin "http://localhost:3000 content://io.trigger.forge99d5a0b8621e11e28cc2123139286d0c"
Note that I've never tested the latter form (with multiple origins). While the CORS spec allows it, browsers may not yet support it.
One other thing you could do is read in the value of the Origin header, validate it on your server (i.e. manually check that the value equals either "http://localhost:3000" or "content://io.trigger.forge99d5a0b8621e11e28cc2123139286d0c"), and then echo only that value in the Access-Control-Allow-Origin response header. However this requires a little more work since it introduces some server-side conditional processing.
I also fear that content:// is not allowed in CORS, could you try setting Access-Control-Allow_origin to *, if that works then that is probably the problem.
A better solution would be to avoid doing XHR requests and use forge.request.ajax which will make the request from native code and avoid any cross domain restrictions. You can find the documentation for that here http://docs.trigger.io/en/v1.4/modules/request.html#modules-request