Deployment – Advanced Settings – CORS

On this page

Cross Origin Resource Sharing (CORS) is a mechanism used to control where browsers are allowed to load resources from (for example feature service data, application or web map configurations). For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts, using the same-origin policy. This means that a web application (i.e. UNE for ArcGIS) can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers. How this impacts UNE depends on how it is deployed and settings in ArcGIS Enterprise/Portal.

Single server deployment

If UNE and ArcGIS Enterprise are installed on the same server (see figure 1 below) then they will share their origin – for example at https://server1.company.com/sweet and https://server1.company.com/arcgis/portal. Normally in this scenario there is no need to adjust CORS settings on the server.

server1.company.com
UNE
ArcGIS Enterprise
Figure 1: single server deployment

Note: if using UNE for mobile there are additional CORS settings that must be configured – see below.

Multiple server deployment

If UNE and ArcGIS Enterprise are installed on the more than one server (see figure 2 below) then they will not share their origin – in this example at https://server1.company.com/sweet and https://server2.company.com/arcgis/portal. This will mean that by default UNE will be unable to connect to server2.company.com and the app will fail to start.

server1.company.com
UNE
server2.company.com
ArcGIS Enterprise
Figure 2: multiple server deployment

To enable UNE to connect CORS settings must be adjusted on server2.company.com. These settings can be configured in a number of places (firewall, web server, ArcGIS Enterprise). The exact mechanism you choose to do this will depend on your organisation’s security policy. Two common examples are shown below.Note that if the web server on server2 is explicitly set up to allow connection from any origin (i.e. it returns an HTTP header called Access-Control-Allow-Origin with a value of *) then no further setup steps should be necessary.

Note: if using UNE for mobile there are additional CORS settings that must be configured – see below.

Allowed Origins in ArcGIS Enterprise/Portal/Server

By default ArcGIS Enterprise allows cross-domain requests from any origin. However it is recommended practice to restrict access – full instructions are available in the ArcGIS Portal help pages. In the example given above https://server1.company.com would need to be added to the Allowed Origins of the portal hosted on server2.

CORS settings in IIS

If not using Allowed Origins in ArcGIS Portal, CORS can be configured at the IIS level. This is an advanced workflow, please refer to the full description available on the IIS CORS Module help pages.

CORS for UNE for Mobile

If using UNE for Mobile with UNE for ArcGIS Enterprise and also using Allowed Origins (or another CORS restriction) then additional steps are required.

https://sweet.esriuk.com
UNE for Mobile
server1.company.com
UNE
ArcGIS Enterprise
Figure 3: UNE for mobile and server deployment

UNE for Mobile is treated as a separate origin when making requests to the server. It uses a single origin value of https://sweet.esriuk.com when connecting. To allow sign in and access to UNE and ArcGIS Enterprise on server1.company.com the following adjustments must be made. Note that CORS may be configured at other points in a network – for example on load balancers or application gateways – which may override settings made using the steps below.

  1. Confirm that the IIS CORS Module extension is installed on IIS.
  2. Amend the web.config file in the UNE web folder (typically C:\une\media\web) so that CORS is enabled for https://sweet.esriuk.com. A simple example of is shown below – a full description is available on the IIS CORS Module help pages.
    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer> 
        <cors enabled="true" failUnlistedOrigins="true"> 
            <add origin="https://sweet.esriuk.com" /> 
        </cors>
    </system.webServer>
</configuration>
  1. Amend the web.config file in the UNE server folder (typically C:\une\media\server) so that CORS is enabled for https://sweet.esriuk.com. (See step 2 above for details)
  2. Add https://sweet.esriuk.com to the Allowed Origins in ArcGIS Portal.

Note: mixing CORS settings (for example using * at the web folder level but https://sweet.esriuk.com in Allowed Origins) will not work and will prevent successful sign in.