Skip to main content
A
avaidya11-Visitor
1-Visitor
August 7, 2017
Question

TW REST API support for http OPTIONS request from browser during Cross-origin resource sharing

  • August 7, 2017
  • 2 replies
  • 2414 views

Hi,

We have developed TW REST API service(s) for consumption by external web application.

These APIs work fine when tested with Postman.Same API fails When tested from external web application.

We found that first OPTIONS request is sent to TW server (instead of POST), as below, to which TW server returns 401 or 403 status.

What is the solution for this in TW?

Request

OPTIONS /Thingworx/Things/TnT.MobilityControllerThing/Services/VerifyLogin HTTP/1.1

Accept: */*

Origin: http://localhost:8080

Access-Control-Request-Method: POST

Access-Control-Request-Headers: content-type, accept, authorization

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393

Response

HTTP/1.1 403 Forbidden

Server: Apache-Coyote/1.1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: frame-ancestors 'self'

X-Frame-Options: SAMEORIGIN

Content-Type: text/plain

Content-Length: 0

Date: Fri, 04 Aug 2017 15:41:22 GMT

2 replies

C
CRArko5-Regular Member
5-Regular Member
August 7, 2017

Hello, Aniruddha Vaidya.

The error you're seeing:

HTTP/1.1 403 Forbidden

Server: Apache-Coyote/1.1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: frame-ancestors 'self'

X-Frame-Options: SAMEORIGIN

Looks related to the 'Allowing Embedded Mashups in iFrames' topic in the ThngWorx Help Center. See

http://support.ptc.com/help//thingworx_hc/thingworx_7_hc/index.html#page/ThingWorx_Core_Help_Center/ThingWorxHelpCenterD…

for further information. Check that your Content Security Policy configuration matches what you're trying to do.

-- Craig A.

A
avaidya11-VisitorAuthor
1-Visitor
August 8, 2017

Hi Craig,

Thanks for reply, The above link did not help much.

My TW REST API (for service) works with http POST method (from POSTMAN), but when tested from html page (via java script) in chrome, it sends pre-flight http OPTIONS (as mentioned above) method, TW server gives 401/403 error. ( chrome sends OPTIONS voluntarily under CORS condition, programmer does not have any control on the same.)

So question is Does TW server supports http OPTIONS method at all ? If not how to handle this.

As per my understanding TW supports (POST, PUT, DELETE methods only)

Br,

Aniruddha

Terms & ConditionsAccessibility statement