xDataWebClient strange CORS issue


Web Core version = v2.0.5.0 + Delphi 11.2

CORS is again in center of the battle
I get an issue with such path

XdataWebClient--> API GW --> API Server Apache xData
With XDataWebClient when opening connexion to URL (obfuscated) using Firefox or MS Edge,
I get an issue about CORS error

"Access to XMLHttpRequest at 'https://apihub-2.*******-preprod.net:8080/ ******* /reparateurs/$model' from origin 'http://localhost:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."

But when I check the same request with CURL client, everything works fine (from same PC)
And it enables to check the CORS authorization is present
< Access-Control-Allow-Origin: *

Is there something to add for XDataWebClient ?



Details of CURL request which simulates HTTP request done by XdataWebClient

>curl -v --header "authorization: 1*******************************2"  -H "Origin: http://localhost:8000" https://apihub-2.*********-preprod.net:8080/*************/reparateurs/$model
*   Trying
* Connected to apihub-2.*******-preprod.net ( port 8080 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
> GET /*******/reparateurs/$model HTTP/1.1
> Host: apihub-2.*******-preprod.net:8080
> User-Agent: curl/7.83.1
> Accept: */*
> authorization: 1*************2
> Origin: http://localhost:8000
* schannel: failed to decrypt data, need more data
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Length: 67500
< Content-Type: application/json
< Date: Wed, 02 Nov 2022 16:38:20 GMT
< Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/8.0.6
< X-Ratelimit-Limit: -1
< X-Ratelimit-Remaining: 0
< X-Ratelimit-Reset: 0
< Xdata-Version: 2
    "Title": "Server API",
    "Version": "3",
    "Schemas": [
            "Namespace": "XData.Default",
            "EntityTypes": [
                    "Name": "Site",
                    "Properties": [

See: TMS Software | Blog

I already added in xdata Server a middleware CORS with origin = *
But, as it's an apache module, I'm not sure it works as a sparkle dispatch

Regarding the blog post, there is way to add it manualy but I don't understand how doing that with apache module
my code looks like with webbroker

    xDataServerContainer := TxDataServerContainer.Create(nil);
    xDataServerContainer.XDataServer.Dispatcher := nil;


where to force the module creation as exposed in blog article ?

Module.AccessControlAllowOrigin := '*'; // Add this line  

And my bad I'm understanding the root subject is xDataServer not Xdatawebclient

I understand this was solved by proper Apache configuration as you stated here?

Hi Wagner
No currently I'm still searching where CORS is not exposed
Investigating on the API Gateway (Tyk.io) about CORS setup.
In progress...

It seems I found the issue
During XdataWebClient connection, a request is sent to xadataServer_url/$model
But during this, none event to

XDataWebClientRequest(Request: TXDataClientRequest);

seems fired.
But it's the event used to integrate header key for API Authorization.
And without this info inside header, the API Gateway (which is securing the xData API) refuses xdatawebclient connection request

On our Tyk.io gateway
error=Authorization field missing
path=/xdata/reparateurs/$model <= which is the request at connection from xdatawebclient

Is there a way to force connection to use XDataWebClientRequest before sending request ?



Here capture of connection trace through fiddler

Continuing to investigate I discovered most of API Gateway can support CORS OPTIONS to go through gateway for first connection to test CORS status
There is such option in Tyk.io but the connection request is a GET not an OPTIONS

Maybe a next feature for XdataWebclient will be to enable sent of an OPTIONS request before any other.

The /$model endpoint request is performed by the TXDataWebConnection component, not the TXDataWebClient. For authorization purposes, I recommend to always use the OnRequest event of the TXDataWebConnection itself since it centralizes the requests for any client connected to it.

This is done automatically by the browser, there is no need for the component to do so.

Thanks Wagner ,
My bad, switching from XDataWebClient to XdataWebConnection, the header is well formed and request is working fine through the tyk.io API Gateway

procedure TDM_Main.ApiConnectionRequest(Args: TXDataWebConnectionRequest);
  console.log('Add Header : Authorization = '+API_Authorizatop_Key);
  Args.Request.Headers.SetValue('Authorization', API_Authorizatop_Key);

But the OPTIONS request can't be found in capture, but it seems not required to work here.

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.