cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

TW REST API support for http OPTIONS request from browser during Cross-origin resource sharing

avaidya1
Newbie

TW REST API support for http OPTIONS request from browser during Cross-origin resource sharing

Hi,

We have developed TW REST API service(s) for consumption by external web application.

These APIs work fine when tested with Postman.Same API fails When tested from external web application.

We found that first OPTIONS request is sent to TW server (instead of POST), as below, to which TW server returns 401 or 403 status.

What is the solution for this in TW?

Request

OPTIONS /Thingworx/Things/TnT.MobilityControllerThing/Services/VerifyLogin HTTP/1.1

Accept: */*

Origin: http://localhost:8080

Access-Control-Request-Method: POST

Access-Control-Request-Headers: content-type, accept, authorization

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393

Response

HTTP/1.1 403 Forbidden

Server: Apache-Coyote/1.1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: frame-ancestors 'self'

X-Frame-Options: SAMEORIGIN

Content-Type: text/plain

Content-Length: 0

Date: Fri, 04 Aug 2017 15:41:22 GMT

Tags (1)
2 REPLIES 2

Re: TW REST API support for http OPTIONS request from browser during Cross-origin resource sharing

Hello, Aniruddha Vaidya.

The error you're seeing:

HTTP/1.1 403 Forbidden

Server: Apache-Coyote/1.1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: frame-ancestors 'self'

X-Frame-Options: SAMEORIGIN

Looks related to the 'Allowing Embedded Mashups in iFrames' topic in the ThngWorx Help Center. See

http://support.ptc.com/help//thingworx_hc/thingworx_7_hc/index.html#page/ThingWorx_Core_Help_Center/...

for further information. Check that your Content Security Policy configuration matches what you're trying to do.

-- Craig A.

Re: TW REST API support for http OPTIONS request from browser during Cross-origin resource sharing

Hi Craig,

Thanks for reply, The above link did not help much.

My TW REST API (for service) works with http POST method (from POSTMAN), but when tested from html page (via java script) in chrome, it sends pre-flight http OPTIONS (as mentioned above) method, TW server gives 401/403 error. ( chrome sends OPTIONS voluntarily under CORS condition, programmer does not have any control on the same.)

So question is Does TW server supports http OPTIONS method at all ? If not how to handle this.

As per my understanding TW supports (POST, PUT, DELETE methods only)

Br,

Aniruddha

Announcements

Check out the upcoming Expert Session: Understanding ThingWorx Navigate Licensing in Community "Customer Events" section.