Resolving CORS errors in AJAX requests from third-party sites

Resolving CORS errors in AJAX requests from third-party sites


Relieving CORS error in AJAX requests from third-party sites


Objective:

To successfully make AJAX requests from a third-party site to a ServiceDesk Plus URL with custom headers without encountering CORS (Cross-Origin Resource Sharing) policy issues.


Initial AJAX Call Attempt:

The following AJAX call example demonstrates making a request using jQuery's $.ajax method:



jQuery.ajax({
   url: 'https://your-servicedeskplus-url/api/v3/requests',
   type: 'GET',
   headers: {
       'TECHNICIAN_KEY': '<value>'
   },
   success: function(data) {
       console.log(data);
   }
});


Encountered Error:

The following CORS policy error may be encountered:

Access to XMLHttpRequest at 'https://your-servicedeskplus-url/api/v3/requests' from origin 'https://your-third-party-site' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.


Explanation of the Error:

CORS is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the web page. The error occurs because the server's response to the preflight request (an OPTIONS request sent by the browser to check permissions) does not include the necessary Access-Control-Allow-Origin header.


Resolution Steps:

To resolve this CORS issue, configure the ServiceDesk Plus applicataion to include the necessary CORS headers in its response. The steps are as follows:


Add Access-Control-Allow-Origin Header in Security Settings:


Go to the security settings of your ServiceDesk Plus application - > Advanced and add the Access-Control-Allow-Origin header with the value set to the origin of the request, e.g., https://your-third-party-site.




Add Access-Control-Allow-Headers Header in securitySettings.json:


Locate the securitySettings.json file in the [SDP_Home]/conf directory of your ServiceDesk Plus installation. Open the file and add the Access-Control-Allow-Headers header under the responseHeaders array. This header specifies which HTTP headers can be used during the actual request.

"response_headers": [
        "Cache-Control",
        "Content-Security-Policy",
        "Strict-Transport-Security",
        "X-Content-Type-Options",
        "X-Frame-Options",
        "X-XSS-Protection",
        "Access-Control-Allow-Origin",
        "Referrer-Policy",
        "Expect-CT",
        "Feature-Policy",
        "Access-Control-Allow-Headers"
    ]



After making changes to the securitySettings.json file, save the file and restart the ServiceDesk Plus service to apply the changes.

Update Access-Control-Allow-Headers in Security Settings:


Go to the security settings again and set the value of the Access-Control-Allow-Headers header to include the domain of your ServiceDesk Plus instance. For example if your ServiceDesk Plus domain is https://xyz.servicedeskplus.com, then the value of Access-Control-Allow-Headers header should be https://xyz.servicedeskplus.com







Restart the ServiceDesk Plus Service Again.

After updating the server configuration, retry the AJAX call. With the server correctly configured to allow cross-origin requests, the call should succeed without any CORS errors.


Summary:

By updating the ServiceDesk Plus server's security settings to include Access-Control-Allow-Origin and Access-Control-Allow-Headers headers, you can resolve CORS policy errors and enable successful cross-origin AJAX requests from any third-party site. 




      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • Billing Date Errors

                      If the Start date and the billing date are set with the same date confusion occurs while creating a contract. Example: Here is a scenario were the Start date and the billing date are set as '1st' and it's set to quarterly billing. Logically the bill ...

                    • Query to List down Account and corresponding sites and its requesters (MSSQL & PGSQL)

                      *Tested in builds from PGSQL (14300) or MSSQL (14306) *Applicable for 14500 builds For Accounts and Site: select adef.org_name "Account",sdo.name "Site Name" from accountdefinition adef left join accountsitemapping asm on adef.org_id=asm.accountid ...

                    • Best practise to configure Sites to follow same configurations using Site refer sites feature

                      Let me explain with some examples : In case , if the Accounts / Sites are geographically distributed and you want to configure dedicated technicians for them , we can make use of Site-Refer-Sites feature (similar to default settings but applicable ...

                    • The requests are stricken, when associated with expired contract

                      When , in Request Module, the requests are stricken out, the below mentioned is the reason and solution to remove it. -> The stricken out of the tickets indicates that the contract associated with that ticket has expired. -> You can follow the below ...

                    • Delete requests

                      If you would like to delete the older requests, you could use the below query. Connect to the Database For MSSQL: delete from workorder where dateadd(s,datediff(s,GETUTCDATE() ,getdate()) + (CREATEDTIME/1000),'1970-01-01 00:00:00') <= ...

                      Related Products