Web Dev Response Headers

I'm wondering if there's a way to manipulate the response headers of a doGet method in the Web Dev module. I need to add 'Access-Control-Allow-Origin' to the headers of the response object to allow other domains/servers/sites access to the end points. Javascript has built in security restraints (CORS) to guard against Cross Site Scripting. This is usually negated by adding Access Control in the header response.

I know my code is working because I can easily get the data when consuming the end point from the same server, this is only a problem when using a site on another host (same network).

Here's the main error I get in the browser:

Here's the HTML5 explanation, basically saying you need to add this Header to the response object.
html5rocks.com/en/tutorials/ ... the-server

[code]headers = request['headers']
headers.update({"Access-Control-Allow-Origin":"http://SERVERNAME"})

jsonObject = {"one":"two"}

response = system.util.jsonEncode(jsonObject)

#how do I add this to the actual response (not just the variable)
headers = system.util.jsonEncode(headers)

#I've tried adding them to the request then returning the request but to no avail
request['headers'] = headers
request['servletResponse'] = response

#I've tried all the different response types json, html, response, etc
return {'response': (response)}

[/code]

Any ideas?

Try getting the servletResponse, setting the header on it, then returning the response data.


servletResponse = request['servletResponse']
servletResponse.setHeader('Access-Control-Allow-Origin', 'http://SERVERNAME')

... do whatever and return a response ...
1 Like

Solid, that worked!

	#this is pretty dirty, but it works.
	from javax.servlet.http import HttpServletResponse
	jsonObject = system.util.jsonEncode(LISTOBJECT)
	HttpServletResponse = request['servletResponse'] 
	Response = (HttpServletResponse) 
	Response.addHeader('Access-Control-Allow-Origin', '*' )
	writer = Response.getWriter()
	writer.println(str(jsonObject))
	writer.close	
	return None
1 Like

Is there any way that I can globally set up all calls to have these headers in their response (even 4** responses)? My calls require authentication and I can’t seem to add the authentication header to my preflight requests. Another possible solution would be to exempt the option verb from needing authentication.