NetWebServiceMethod - how to add a custom header in the response

[Thys]

Hi,

I want to make sure that Chrome is happy with the response from my web service. I previously understood that the default value

s_web._SitesQueue.Defaults.AccessControlAllowOrigin

needs to be set in the WebServer procedure to either * which Chrome doesn't accept any more, or to the correct domain. This will be sent back as part of the response header for any call. But now Chrome is not happy with just that anymore. It also wants the header Access-Control-Allow-Credentials to be set to true.

Which brings me to the question of how do I add a custom header to a response?

Thys

[Bruce]

>> Which brings me to the question of how do I add a custom header to a response?

Wrong question. Right answer is that

s_web._SitesQueue.Defaults.AccessControlAllowCredentials

also already exists.

Do you have any links for the Chrome requirements please?

cheers
Bruce

[Thys]

Hi Bruce.

The property AccessControlAllowCredentials didn't show in code completion, hence the reason for my post.

I was on 10.04 before and now downloaded 10.06 - but it doesn't look as if the property exists:

Field not found: ACCESSCONTROLALLOWCREDENTIALS - ...

I'll still send you the Chrome information.

Thys

[Thys]

Hi Bruce.

We couldn't get a reference for Chrome that won't accept the "*" wildcard, but the browser definitely does have a problem when AccessControlAllowOrigin is set to "*".

There is also no mentioning that AccessControlAllowCredentials has to accompany AccessControlAllowOrigin , although in all of the examples (see https://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server) they both are used to facilitate CORS.

Thys

[Thys]

...and this article also explains more about CORS:

http://restlet.com/company/blog/2016/09/27/how-to-fix-cors-problems/

[Bruce]

>> The property AccessControlAllowCredentials didn't show in code completion, hence the reason for my post.

my mistake.
It's in the Header group, but not the NetWebServerGroup group (for other reasons).

So the best way to tweak the header in general is to embed in the WebServer, SetDefaultHeaderDetails method, after the parent call. the cood looks something like;

  self.HeaderDetails.AccessControlAllowOrigin = ''
  self.HeaderDetails.AccessControlAllowCredentials = ''

There are a bunch of access headers you can set here;

  self.HeaderDetails.AccessControlAllowOrigin = ''
  self.HeaderDetails.AccessControlAllowCredentials = ''
  self.HeaderDetails.AccessControlAllowMethods = ''
  self.HeaderDetails.AccessControlAllowHeaders = ''
  self.HeaderDetails.AccessControlExposeHeaders = ''
  self.HeaderDetails.AccessControlMaxAge = ''

If the template exposes a setting then it will _override_ any code you set here. (But the template does not currently have settings for all these fields.)

thanks for the links.

cheers
Bruce