How can I set some header lines in a TWebHttpRequest?


I used your Demo ....\Demos\Services\Simple\TMSWeb_SimpleService.dproj
with a little modification to start a new project for reading some reports(plain text file)
The server with the files asked for is an other win10 machine

procedure TForm1.WebButton1Click(Sender: TObject);
console.log('Der WebButton1 wurde geClickt');
// WebHttpRequest1.URL := '';
WebHttpRequest1.URL:= '';

//this is an anonymous method
procedure(AResponse: string; AReq: TJSXMLHttpRequest) //returns an Arry of Objects
var //"userId":1,
js: TJSON;
ja: TJSONArray;
jo: TJSONObject;
i: integer;
// first time do nothing!!!!!!!!!!!!!!!!!!!!!!!
// js := TJSON.Create;
// try
// ja := TJSONArray(js.Parse(AResponse));
// ShowMessage('Retrieved items:' +inttostr(ja.Count));
// for i := 0 to ja.Count - 1 do
// begin
// jo := TJSONObject(ja.Items[i]);
// WebListBox1.Items.Add(jo.GetJSONValue('title'));
// end;
// finally
// js.Free;
// end;

and I got the following Info in the Console

Der WebButton1 wurde geClickt Unit1.pas:38:9

Quell├╝bergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf (Grund: CORS-Kopfzeile 'Access-Control-Allow-Origin' fehlt). Statuscode: 404.

Object { fMessage: "HTTP request error @", fHelpContext: 0 }

How and where must I set the appropriate Headerlines for resolve the CORS problem?

Thanks a lot

You need to configure your web server to allow CORS, it's not something you set on the client app.

For example, in IIS, you can use click on the website or application you're hosting, click on "HTTP Response Headers", then add the following record:

In the name field: Access-Control-Allow-Origin
In the value field: *

You can add headers to an HttpWebRequest by doing the following:

WebHttpRequest.Headers.AddPair('content-type', 'application/json');

If you're testing a TMS Web Core project on your local machine, you can disable Chrome or Firefox CORS by installing a plug-in.

For Chrome I use

For Firefox I use CORS Everywhere

Hope this helps.

1 Like

First of all, thank you for your response

but there is somthing not clear. You wrote:

But I have an example from a video from Danny Wind SummerCamp 2021
with the following code snippet belonging to a server-sw

if Request.GetFieldByName( 'Access-Control-Request-Headers') <> '' then
Response.SetCustomHeader( 'Access-Control-Allow-Headers',
Handled := True;

So I assume there must some haeder info come from the client who does the request?
Or did I totaly misunderstanding this code


I haven't seen the video, maybe you can post a link.

Which web server are you using?

I suggest using the RESTDebugger included with Delphi to test. You can add headers and test before you waste time trying to code things. It also shows you the response headers. Here's an example of a request to Rad Server:

URL: http://localhost/radserver/emsserver.dll/version

Response Headers:
Date=Thu, 25 Aug 2022 15:51:51 GMT

Please post a link to Danny's video and maybe we can figure this out.


Hi John,

the link to the Video:

nearly at minute 41:00 he told about CORS and the part of SW who receive an Access-Control-Request-Headers and only if he got one, he send it back as an Response header.

My Webserver is an IIS on a Win10 Desktop System


In the video Danny is adding a response header to a TWebModule (REST server application) to allow CORS.

If you have access to your REST web server application's code, you can do the same. Or you can do as I suggested in my first response, which is add the response headers to your server application in IIS.


Sorry for asking again, but the response is only added if there was a special entry in the request. So I asume that the initial entry must come from the client who sends the request. Isn't it?


Your original question asked where can you add headers to your Web Core application to fix your CORS issue. This is not done on the client. CORS is cross origin, for example, is requesting something from CORS is a browser security feature. If you think about it this way, you can't add anything to your web application that will tell a server to allow you to have access to something. The server must grant this request by telling the browser that the request is allowed. If you could add something to the client app to allow cross origin server requests, then what would the point of CORS be? It would be useless.

Simple requests are allowed. If you add a custom header to your web app, it will trigger CORS, in my experience. For instance, sending a header with a master secret, or a token, will trigger CORS.

There's a lot more to CORS than I can explain in a post. I suggest reading the following which explains it in greater detail.