Digital Assistant and Mobile

Get Involved. Join the Conversation.


    Do Access-Control-Allow-Origin headers override the Mobile...
    Topic posted June 25, 2019 by bc_uk, last edited June 25, 2019 
    Do Access-Control-Allow-Origin headers override the Mobile Hub Security_AllowOrigin environment policy setting?

    I have setup a Mobile Hub, and have created a Custom API that needs to be called from an Ionic mobile client which uses the Oracle Mobile Cloud SDK. The Custom API works without errors when tested within the Backend in Mobile Hub. It looks like this:

    module.exports = function(service) {
        service.get('/mobile/custom/patients/patients', function(req, res) {
            req.oracleMobile.connectors.patients.get(null, null, null).then(
                    res.setHeader("Access-Control-Allow-Origin", "*");
                  res.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
                   res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
                    res.setHeader("Access-Control-Allow-Credentials", "true");
                    res.setHeader("Cache-Control", "no-cache");
                    res.send(result.statusCode, result.result);
                    res.send(500, error.error);


    However, when I call this API from the mobile client, it fails at the authentication stage with this commonly reported error:

    Failed to load Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8100' is therefore not allowed access.

    I'm using anonymous auth in my Ionic client:

    this.mcs.mobileBackend.authorization.authenticateAnonymous().then(function(response) {
    console.log('anonymous authentication: success');
    console.log('anonymous authentication: failed');


    So, my question is - should the Access-Control-Allow headers I've added in my Custom API response override whatever the Mobile Hub's Security_AllowOrigin is set to? I also have the Enable Cross-Origin Resource Sharing Chrome plugin activated in my debug environment (Chrome). Any ideas as to how I might solve this? All the Google results point to adding the headers in the server response as being the solution.