NetWeaver Gateway Support for CORS
My SAPUI5 code is running in a different domain from the OData service. The web service is secured using Basic Authentication (user ID and password).
This is what is happening...
- The Browser sees this as cross origin, so it kicks into something called 'CORS Preflight' and sends an OPTIONS request instead or a GET.
- Since the web service wants authentication data and doesn’t see any, it returns a 401 error to the Browser.
I did some more research, and I found that the CORS specification says two things: 1) OPTIONS shouldn’t require authentication on the server side, and 2) the browser will strip all headers from OPTIONS requests (including the Authentication Header!) before sending the request. Tilt.
It would seem that SAP’s support for CORS is lacking because it is requiring authentication on OPTIONS requests. Is there is something more I can do to get SAP to allow OPTIONS requests to be made unauthenticated?