WEB SEND HTTP REDIRECT Cors

Version 15.4. I am having a problem with WEB SEND HTTP REDIRECT for a particular url it has stopped redirecting. In browser I get error

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://pay-sandbox.gocardless.com/flow/xxxx. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

This code has been working for a while so something must have changed with v 15.4 ?

Any one know how can I inc header with WEB SEND HTTP REDIRECT ? something like

ARRAY TEXT(asHeaderNames;0)
ARRAY TEXT(asHeaderValues;0)
APPEND TO ARRAY(asHeaderNames;“Access-Control-Allow-Origin”)
APPEND TO ARRAY(asHeaderValues;"*")

WEB SEND HTTP REDIRECT(vtrUrlReflow)

If I paste vtrUrlReflow into browser all is ok so not an issue with url.

Thanks
Paul

Also tried
ARRAY TEXT(asHeaderNames;0)
ARRAY TEXT(asHeaderValues;0)
APPEND TO ARRAY(asHeaderNames;“Access-Control-Allow-Origin”)
APPEND TO ARRAY(asHeaderValues;vtrUrlReflow)
WEB SET HTTP HEADER(asHeaderNames;asHeaderValues)

WEB SEND HTTP REDIRECT(vtrUrlReflow)

Are you sure nothing changed on the server you are trying to redirect
to?

: Paul DENNIS

This code has been working for a while so something must have changed
with v 15.4 ?

If you go back to the version that previously worked, does it still work or does it continue to give this error? If you continue getting this error then something changed on the server side, not in 4D.

In either case, I thought CORS was something you need to configure on the server-side, not the client-side.
Meaning i don’t think setting the headers prior to the redirect will help at all because that is on the client side.
Do you control the server side (the server you are redirecting to)?

-Tim

Based on the URL you included, it seems you are trying to use gocardless.com
According to their https://github.com/gocardless/http-api-design#corsgithub page>, it seems like"Any domain that is registered against the requesting account is accepted."

So i would first check and validate that the domain is added to your gocardless.com account, otherwise it seems like this error could be expected.

The code hasnt changed only version of 4D. I checked with redirect
server this morning and they replied

it looks like an issue with the HTTP client that you’re using as
opposed to GoCardless. It seems like an issue with CORS - there seem
to be a few fixes for this online

Been trying to fix all day. The error occurs as soon as you get to WEB SEND HTTP REDIRECT(vtrUrlReflow) the url is valid this i s an issue between the browser and 4d as 4d is sending the request to the browser to redirect and the browser is refusing. other redirect URLs work okay but they are http not https which I think is the issue. I’m currently testing this on local host to eliminate any third party server.

If you go back to the 4D version that previously worked, does it still work or does it continue to give this error?

-Tim

Trying that at the moment. My previous was v15 r5. Ive got too many versions going on ! I think you might be right about accepted domains.
Paul

: Paul DENNIS

I think you might be right about accepted domains.

I am a bit surprised the GoCardless support team didn’t mention that.

-Tim

I think its because 4d is running on http and the nginx proxy in front does the https bit. It has been working like this for over a year. To resolve I am trying to force 4d web server to tls but it wont run on port 443 ?

Did it work when you reverted the version of 4D?

-Tim

No same error on v15 r5. Going to try older version just in case.

Older version option is a bit complicated. Do you have any tips for debugging this ?
Thanks
Paul

Any idea how to force https on 4d web server do I need a cert ?

If reverting the version of 4D doesn’t make it work then i dont think anything changed in 4D - so something else must have changed… maybe the domain name you are using or something on the server (gocardless) side, or maybe even the browser.

If your domain name recently changed, then maybe that is why it stopped working.

Make sure you have added the domain to your GoCardless account (i have absolutely no idea how to do this). I would imagine that the domain that your NGINX server is listening on (i.e. the domain that you enter into the address bar) needs to be added to your GoCardless account.

I would suggest working with the GoCardless support team on it, however they didn’t even tell you that you need to have the domain added to your account to bypass CORS, so i dont know if the support person you worked with knows about https://github.com/gocardless/http-api-design#corsCORS & their API>… Maybe they have a higher tier of support that actually knows about CORS?

-Tim

: Paul DENNIS

Any idea how to force https on 4d web server do I need a cert ?

yes, you need a signed certificate in order to use HTTPS. You can go http://kb.4d.com/assetid=75985self-signed>, http://kb.4d.com/assetid=77708automate the process for free using Let’s Encrypt>, or purchase from a Certificate Authority (CA).

The certificate needs to be in .pem format and placed next to the structure file (if web server is running from 4D server or Single-user - 4D Client has a different location for the certificate).

Also, make sure that no other application is using the port (80/443) otherwise the web server will not start.

If on mac, make sure the http://kb.4d.com/assetid=76962HelperTool> is properly installed to run on port 80/443


Regarding CORS, i think this http://stackoverflow.com/a/10636765/5971390SO answer> describes why the server (gocardless) needs to be set to allow your site/domain.

Thanks for you help Tim, I agree its a GC issue. The SO answer explains it. I was thinking upside down in that we needed to send a header with the Access-Control-Allow-Origin: http://gocardless.com but it works the other way round. Which makes sense. Trouble is I can’t work out where I set this up. GC can be a bit slow responding.
Paul

GC replied as follows

The only allowed hosts are gocardless.com domains. For security reasons we cannot add any third-party domains to this list - it’s not something you will be able to configure on your GoCardless account.

You should not see this error if you are redirecting the user to our redirect flows, so it sounds like something else is happening here. How is the redirect being performed?

Can anyone enlighten me as to “How is the redirect being performed?”

Thanks
Paul

Hi Paul

Sounds like the browser is refusing to redirect away from 4D based on CORS rules, so the path of including a header was correct, I think. Have you tried including the CORS header in the browser page served prior to the redirect ? I think the header is supposed to go with the redirect itself though.

An alternative approach would be to get NGINX to insert a CORS header entry to keep the browser happy?

Hope this helps.

Best regards

Keith

This is quite interesting. I mean, from the error message you posted it certainly sounds like the remote server needs to allow your server in order to use its resources (see https://stackoverflow.com/questions/24182259/here>)… The https://github.com/gocardless/http-api-design#corsgithub page> makes it sound like the gocardless api supports this, but from your interaction with the gocardless support team that appears to be incorrect.

Maybe I am looking at this incorrectly - I think I need more context on what you are trying to do.

Are you redirecting an entire page to gocardless or are you trying to use/embed/call a resource on gocardless from within your site without a full page redirect?

Hello Keith, Tried setting headers wherever i can think of.

ARRAY TEXT(asHeaderNames;0)
ARRAY TEXT(asHeaderValues;0)
APPEND TO ARRAY(asHeaderNames;“X-STATUS”)
APPEND TO ARRAY(asHeaderValues;“301”)
APPEND TO ARRAY(asHeaderNames;“Access-Control-Allow-Origin”)
APPEND TO ARRAY(asHeaderValues;vsGSEndPoint)
WEB SET HTTP HEADER(asHeaderNames;asHeaderValues)

WEB SEND HTTP REDIRECT(vtrUrlReflow)

Where I am baffled is that this has been working for at least 9 months while we have been testing.
Regards
Paul