Do we have a release date for the CORS ability? Have exactly the same issue, because we use a mindsphere CF app as middleware providing an own REST API and another mindsphere CF app providing the UI as static site. My calls also are in the same tenant. My application is not running due to the CORS problem.
1 Failed to load resource: the server responded with a status of 403 ()
Failed to load https://tenant-myapi-tenant.eu1.mindsphere.io/api/v1/devices:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://tenant-myfrontendapp-tenant.eu1.mindsphere.io' is therefore not allowed access. The response had HTTP status code 403. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
@Dineshb currently this is not possible to call your APIs from outside of MindSphere. We are working on a mechanism that allows you to issue service credentials (technical token) for calling those.
1. Is the "technical token" different from the service credentials?
2. Will developers/users be able to self-service tokens/credentials without submitting tickets?
3. What is the timeframe on this, is it still on track for release in a month?
I am migrating our HTML5 web application using some backend micro services from MSv2 to MSv3, and now having also this CORS issue. In MSv2 there was no CORS issue, since all app has the same parent root path: <tenant>.apps.mindsphere.io.
This would be a major blocker for people who wanted to migrate the webapp and micro services to MS.
1. When will the CORS ability be available, which was mentioned a few months ago?
2. Is there any workaround e.g. using ACCESS-CONTROL-ALLOW-ORIGIN header or CSP header (I tried this but not successfull), until the CORS feature is really supported ? Otherwise the migration effort would be much higher to introduce new backend service in every web project containig web static files.
Actually, I tried to do the same as you explained, i.e. set the CORS headers in the backend app and changed the csp header policy. If I directly call the backend app (REST API URL) from the web browser, I got also the expected CORS header and the query returns results, but not if I use the same query from the frontend app. I am not sure,whether this is something to do with the CSP. Could you please elaborate more, what need to be specified in the CSP of both backend and frontend app?
Another question: Did you add your backend as an additional component inside the same registered application that also contains the frontend part? In my case, I am using a backend service from another registered application.
Does MindSphere Gateway check/change the CORS response headers returned by the other application or always forward all headers to the frontend user?
As far as I know, the gateway does not interfere with the CORS headers, just sits in front for authentication. The CORS headers are decided by your backend app as long as you reach your code (pass the authentication).
In our case, for simplicity, we build a static version of the app that is included in the server, so everything stays within the same app. But we also built a proxy app that forwards queries to other internal applications, and also had another project where we had two components on the same app. Both worked, just need to use the internal endpoints (the one you get with "cf apps").
That's what I also did at the end by using a proxy app (request forwarder), but I think it would be just a workaround in my case, because I have multiple frontends, which use the same backend service.
IMO, in MSv3 one shall be able to provide a common backend service that can be used by multiple frontend applications without such additonal proxy app in every related application.