Configuring the Interview Web Service to use CORS
Usually, browsers prevent cross-site scripting: for example, the browser might prevent a a web page that is hosted by mysite.com from accessing the Interview Web Service that is hosted by mysurveys.com.
To instruct the browser that access from a specific external site is allowed, you can configure Cross-Origin Resource Sharing (CORS) for the Interview Web Service. When a script hosted by mysite.com tries to make a request to mysurveys.com, the browser sends a “preflight request” to mysurveys.com to check if mysite.com is allowed access.
To enable CORS for the Interview Web Service
To handle the preflight request and allow access from the specified site, edit this file:
C:\Program Files\IBM\SPSS\DataCollection\7\Interviewer Server\Server\InterviewWebService\Global.asax
After the existing Application line, add the code below.
<script language="C#" runat="server">
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Set("Access-Control-Allow-Origin", "http://test.com:8080");
HttpContext.Current.Response.Headers.Set("Access-Control-Expose-Headers", "SessionToken");
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
{
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "X-Requested-With, SessionToken");
HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "600");
HttpContext.Current.Response.End();
}
}
</script>
To allow a single origin
Replace http://test.com:8080 with the origin.
To allow a group of origins
Specify a wildcard in the Access-Control-Allow-Origin header.
To specify a list of valid origins
Create a hashset of origins, for example:
<script language="C#" runat="server">
protected void Application_BeginRequest(object sender, EventArgs e)
{
System.Collections.Generic.HashSet<string> allowedOriginList = new System.Collections.Generic.HashSet<string>(new string[]
{
"http://myorigin1.com:8080",
"http://myorigin2.com:8989",
}, StringComparer.OrdinalIgnoreCase);
string origin = HttpContext.Current.Request.Headers["Origin"];
if (allowedOriginList.Contains(origin))
{
HttpContext.Current.Response.Headers.Set("Access-Control-Allow-Origin", origin);
HttpContext.Current.Response.Headers.Set("Access-Control-Expose-Headers", "SessionToken");
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
{
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "X-Requested-With, SessionToken");
HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "600");
HttpContext.Current.Response.End();
}
}
}
</script>
See also