How can I set some header lines in a TWebHttpRequest?

Warnkonig_Karl-Heinz · August 23, 2022, 10:09am

Hi

I used your Demo ....\Demos\Services\Simple\TMSWeb_SimpleService.dproj
with a little modification to start a new project for reading some reports(plain text file)
The server with the files asked for is an other win10 machine

procedure TForm1.WebButton1Click(Sender: TObject);
begin
console.log('Der WebButton1 wurde geClickt');
// WebHttpRequest1.URL := 'https://download.tmssoftware.com/tmsweb/music.json';
WebHttpRequest1.URL:= 'http://192.168.1.210/Reports/51';

WebHttpRequest1.Execute(
//this is an anonymous method
procedure(AResponse: string; AReq: TJSXMLHttpRequest) //returns an Arry of Objects
var //"userId":1,
//"id":1,
//"title"
js: TJSON;
ja: TJSONArray;
jo: TJSONObject;
i: integer;
begin
// first time do nothing!!!!!!!!!!!!!!!!!!!!!!!
// js := TJSON.Create;
//
// try
// ja := TJSONArray(js.Parse(AResponse));
//
// ShowMessage('Retrieved items:' +inttostr(ja.Count));
//
// for i := 0 to ja.Count - 1 do
// begin
// jo := TJSONObject(ja.Items[i]);
// WebListBox1.Items.Add(jo.GetJSONValue('title'));
// end;
// finally
// js.Free;
// end;
end
);
end;

and I got the following Info in the Console

Der WebButton1 wurde geClickt Unit1.pas:38:9

Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf http://192.168.1.210/Reports/51. (Grund: CORS-Kopfzeile 'Access-Control-Allow-Origin' fehlt). Statuscode: 404.

Uncaught
Object { fMessage: "HTTP request error @http://192.168.1.210/Reports/51", fHelpContext: 0 }
rtl.js:258

How and where must I set the appropriate Headerlines for resolve the CORS problem?

Thanks a lot

John_Easley · August 24, 2022, 11:35pm

You need to configure your web server to allow CORS, it's not something you set on the client app.

For example, in IIS, you can use click on the website or application you're hosting, click on "HTTP Response Headers", then add the following record:

In the name field: Access-Control-Allow-Origin
In the value field: *

You can add headers to an HttpWebRequest by doing the following:

WebHttpRequest.Headers.AddPair('content-type', 'application/json');

If you're testing a TMS Web Core project on your local machine, you can disable Chrome or Firefox CORS by installing a plug-in.

For Chrome I use https://chrome.google.com/webstore/detail/cross-domain-cors/mjhpgnbimicffchbodmgfnemoghjakai?hl=en-US

For Firefox I use CORS Everywhere http://spenibus.net/

Hope this helps.

Warnkonig_Karl-Heinz · August 25, 2022, 8:49am

First of all, thank you for your response

but there is somthing not clear. You wrote:

But I have an example from a video from Danny Wind SummerCamp 2021
with the following code snippet belonging to a server-sw

if Request.GetFieldByName( 'Access-Control-Request-Headers') <> '' then
begin
Response.SetCustomHeader( 'Access-Control-Allow-Headers',
Request.GetFieldByName('Access-Control-Request-Headers'));
Handled := True;
end;

So I assume there must some haeder info come from the client who does the request?
Or did I totaly misunderstanding this code

Thanks

John_Easley · August 25, 2022, 8:43pm

I haven't seen the video, maybe you can post a link.

Which web server are you using?

I suggest using the RESTDebugger included with Delphi to test. You can add headers and test before you waste time trying to code things. It also shows you the response headers. Here's an example of a request to Rad Server:

URL: http://localhost/radserver/emsserver.dll/version

Response Headers:
Date=Thu, 25 Aug 2022 15:51:51 GMT
Content-Length=39
Content-Type=application/json
Server=Microsoft-IIS/8.5
Access-Control-Allow-Origin=*

Please post a link to Danny's video and maybe we can figure this out.

John

Warnkonig_Karl-Heinz · August 26, 2022, 7:54am

Hi John,

the link to the Video:

nearly at minute 41:00 he told about CORS and the part of SW who receive an Access-Control-Request-Headers and only if he got one, he send it back as an Response header.

My Webserver is an IIS on a Win10 Desktop System

Charly

John_Easley · August 26, 2022, 1:39pm

In the video Danny is adding a response header to a TWebModule (REST server application) to allow CORS.

If you have access to your REST web server application's code, you can do the same. Or you can do as I suggested in my first response, which is add the response headers to your server application in IIS.

John

Warnkonig_Karl-Heinz · August 26, 2022, 1:56pm

Sorry for asking again, but the response is only added if there was a special entry in the request. So I asume that the initial entry must come from the client who sends the request. Isn't it?

Charly

John_Easley · August 26, 2022, 3:06pm

Your original question asked where can you add headers to your Web Core application to fix your CORS issue. This is not done on the client. CORS is cross origin, for example, domain-a.com is requesting something from domain-b.com. CORS is a browser security feature. If you think about it this way, you can't add anything to your web application that will tell a server to allow you to have access to something. The server must grant this request by telling the browser that the request is allowed. If you could add something to the client app to allow cross origin server requests, then what would the point of CORS be? It would be useless.

Simple requests are allowed. If you add a custom header to your web app, it will trigger CORS, in my experience. For instance, sending a header with a master secret, or a token, will trigger CORS.

There's a lot more to CORS than I can explain in a post. I suggest reading the following which explains it in greater detail.

John