Suvash - Hi Team, I am trying to access the /ap...
Hi Team, I am trying to access the
/api/rest/2.0/system/banner from our FE app. However, I am getting a CORS error even though the domain is listed under the Security Settings for CORS whitelisted domains
Am I missing anything here?
origin 'http://localhost:5173' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.29 Replies
Can you please let us know what domain is added in the CORS section? Is it localhost:5173 ?
http://localhost:5173. I had also deployed it to our hosted dev app which is also part of the CORS list but still getting the CORS error.
Can you DM me screenshot of your security setting page ?
done.
Also, http://localhost:5173, does it gets its protocol removed?
https://visual-embed-sdk.vercel.app/docs/security-settings#csp-cors-hosts
based on this, we need to provide the http for localhost
Security settings
Security settings for embedding
You would need to add protocol otherwise it will pick up https automatically
yeah, I did added the protocol, but the next time I checked, it was removed from the list and I can see the domain without the protocol
Hi @utsav.kapoor any updates on this?
Hey @Suvash - Can you please add the protocol in the security setting and see if that works ? You should add to get this working
Hi @utsav.kapoor . I did add the protocol. But it seems to be removed as I didn't see it when I checked later. Also mentioned above ^^^
@Suvash - I checked the screenshot, and its in the screenshot, can you please update that to include in it ?
Ohh... i didnt caugjht that part.. Can you send me the following details:
1. Cluster URL
2. Release Version
in the DM. Ill setup a call with you so we can triage
where do I see the release version?
From your Thoughtspot instance, you can click on icon on the top navigation and then click , that should give you release version
cool. thank you
I have pinged the customer success team so they can setup a call. They should reach out asking for a time so we can go on a call to resolve
Hi @utsav.kapoor just following up on this since I haven't heard anything from the cs team
Let me follow up with them
@utsav.kapoor can we please get this expedited? as it has been almost a week since you riased it with customer success. this is a blocking feature for us
Can you raise a ticket. I havent seen them respond so if you raise a support ticket, we can get the call sometime this week. Give reference to this slack thread and let me know I have asked for a call.
creating the ticket now.
Michelle would have also reached out to you both. I just pinged her again
We will have @shikharTS in the call . he can help out on this
cool. thank you. yeah got the message from Michelle đ
Update here : We even tried to add .* to CORS, Even after that we were seeing the same CORS error in the console logs. Looks like some aws rule is being invoked and we get the CORS error. Another interesting thing was we are getting 200 in HAR file but then get CORS error. Will debug on my own a bit and update with findings here.
@Suvash can you add the header --header 'Accept: application/json', when you make the call from your code?
That is the only difference I can see
The call from localhost has */* in accept
Also for some reason the type of call from localhost is fetch, but when made directly it is document..
Hi @shikharTS it didn't work. Also, I was testing the url and it seems to be open to everyone. It just doesn't seem to like being called from fetch. gave a try with axios, didn't make any difference as well.
https://afterpay.thoughtspot.cloud/api/rest/2.0/system/banner
fetch("https://thoughtspot.humanforce.com/api/rest/2.0/system/banner?1740627275957", {
"headers": {
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7",
"accept-language": "en-US,en;q=0.9",
"priority": "u=0, i",
"sec-ch-ua": ""Not(A:Brand";v="99", "Google Chrome";v="133", "Chromium";v="133"",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": ""Linux"",
"sec-fetch-dest": "document",
"sec-fetch-mode": "navigate",
"sec-fetch-site": "none",
"sec-fetch-user": "?1",
"upgrade-insecure-requests": "1"
},
"body": null,
"method": "GET",
"mode": "cors",
"credentials": "omit"
});
I tried to copy the har file request (which was succesful) as fetch
Can you try the above code and check if this works. I have tried a bunch of things but seems to be working for me with curl
If this also does not work, we might need to whitelist localhost at aws level (since this is an aws server response). You might need to create a support ticket for that..
Hi Shikar, thank you but this didn't work. Also, the issue is not only with localhost. It is not working for us with our dev environment as well. I will create that support ticket.
Also mention that this does not work even with .* in CORS in TS. Might need to check cloud aws logs for this
Hi, I think we have the same issue with header âAccess-Control-Allow-Originâ not sent in the API response headers even if we add cors whitelist domain.
@Suvash @shikharTS Do you know if you resolved your issue please ?
@Florian Nègre this was some issue with the API /system/banner. The rest APIs were working fine
Thank you. Do you know if the API /system/banner issue is fixed ?
There is no header in the response who allows whitelist domains to do request to this API
For information, I have created a case : https://community.thoughtspot.com/customers/s/case/500Uk00000WrT9bIAF/accesscontrolalloworigin-header-not-sent-in-api-responses
Yes, last I saw the update, the fix has been implemented, it is being rolled out to prod clusters. You should be able to get more info on the support case you created..