Hi Rushikesh,
When making rest calls in javascript the server has to respond to the preflight request (options method) with the correct headers (to authorize the browser) before the rest call can continue with the method that you are trying to use.
The header that you need is:
Access-Control-Allow-Origin
and sometimes you need a couple more if you want to use cookies. More info can be found here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
In your published rest service you can create an operation for the “OPTIONS” request. Add that to your published service and create a microflow that creates the access-control-allow-origin header with the value of the url that you are access it from (or you can use an * but be cautious of using the wild card).
Here is an example:
https://modelshare.mendix.com/models/69eaf5f8-3658-4352-a0eb-00116f3746f5/options-resource
Hope this helps!
You might want to use Mendix 8.1.
In the release notes, it says: “We changed the behavior of OPTIONS
requests to published REST services. Authentication is no longer required when you define an OPTIONS
microflow. In addition, when CORS is checked, you no longer need an OPTIONS
microflows; the service will respond to OPTIONS
requests with CORS headers.“
The Same Origin Policy (SOP) is a security measure standardized among browsers. It is needed to prevent Cross-Site Request Forgery (CSRF). The "Origin" mostly refers to a "Domain". Same Origin Policy prevents different origins (domains) from interacting with each other, to prevent attacks such as CSRF (Cross Site Request Forgery) through such requests, like AJAX. In other words, the browser would not allow any site to make a request to any other site. Without Same Origin Policy , any web page would be able to access the DOM of other pages.
This SOP (Same Origin Policy) exists because it is too easy to inject a link to a javascript file that is on a different domain. This is actually a security risk ; you really only want code that comes from the site you are on to execute and not just any code that is out there.
If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.
If you need to enable CORS on the server in case of localhost, you need to have the following on request header.
Access-Control-Allow-Origin: http://localhost:9999