x-access-token issue with Rad Server

I'm using Rad Server, and I've configured CORS policy by updating the emsserver.ini file with the following:


This seems to work with most of my endpoints. However, I developed a server resource that checks the status of a JWT token. In the header of the client request, I set a pair to x-access-token and my token. When I send the request from TMS Web Core, the server complains with the following:

'http://localhost:8080/RivExchangeU/GetStatus' from origin 'http://localhost:8000' has been blocked by CORS policy: Request header field x-access-token is not allowed by Access-Control-Allow-Headers in preflight response.

This of course is on my development machine. I've searched far and wide and can seem to find a solution to this problem.



I'm not a RAD server expert, the people at Embarcadero are better positioned for this.

But in general, for CORS, you should set in the header:
'Access-Control-Allow-Origin', '*'

Well, I'm pretty sure Rad Server simply does not allow the use of x-access-token. It seems to only allow the following headers:

THeaderNames = record
public const
ApiVersion = 'X-Embarcadero-Api-Version';
ApplicationId = 'X-Embarcadero-Application-Id';
SessionToken = 'X-Embarcadero-Session-Token';
MasterSecret = 'X-Embarcadero-Master-Secret';
AppSecret = 'X-Embarcadero-App-Secret';
TenantId = 'X-Embarcadero-Tenant-Id';
TenantSecret = 'X-Embarcadero-Tenant-Secret';

I don't think it's a CORS issue.

My preflight response is this:

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39
Date: Sat, 21 May 2022 18:25:04 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, X-Embarcadero-Application-Id, X-Embarcadero-App-Secret, X-Embarcadero-Master-Secret, X-Embarcadero-Tenant-Id, X-Embarcadero-Tenant-Secret, X-Embarcadero-Session-Token, X-Embarcadero-Api-Version
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, PATCH

I can't find any documentation that will allow me to modify the Access-Control-Allow-Headers.


So, where is x-access-token coming from? Who sets this where?

I send the request from TMS Web Core using the WebHttpRequest component. I send x-access-token and the token string as part of the headers.

I don't understand. You say that RAD server doesn't support x-access-token and yet you must send it?
Have you checked with Embarcadero on these requirements & config?

I did more investigation. The x-access-token works when using the rest debugger, so it is does seem to be a cors issue while developing, but I don't think it will be an issue once deployed. In the meantime, to continue development I'm using the CORS Everywhere Firefox plug in, which works for development for now.