We have an application which is protected by siteminder. The application is deployed in https://abc.e.example.net domain and weblogin in https://cd-appstest.e.example.net domain. Now when we call protected resource https://abc.e.example.net/protected, there is a redirection to weblogin but there are no contents (blank page). We received the following error message "
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cd-appstest.e.example.net/internal/login?TYPE=33554433&REALMOID=06-f7aa5cc5-e491-11cd-8d98-862e00180001&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$N5MjfOF7Ss%2b4YvM6g38sJLDA8KiTWcgLkNWF%2bhD78DX9sULYtX9%2f4dPFqsx7VsXM2W5e5zBrrISBqpTX56FUJB4TnUMmOHN&TARGET=$SM$https%3a%2f%2fabc%2ee%example%2enet%2fprotected%2fcommon%2fresources%2fusers%2f_meta%2fcurrent. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). "
As depicted in error message Access-Control-Allow-Origin header is missing in server response.This issue is very specific to firefox and chrome. Based on firefox documentation (HTTP access control (CORS) - HTTP | MDN ) we have noted that if there are requests to a resource from a different domain, protocol, or port to its own, then Access-Control-Allow-Origin has to be set to the origin. Since here https://abc.e.example.net is the origin we need to set this as Access-Control-Allow-Origin in webserver corresponding to https://cd-appstest.e.example.net domain.
Both are in the same domain i.e. .e.example.net. Then why is this a problem ?
We are providing SSO to many application and we had no such issues till now. The solution is currently working with all the browsers except this case.
I have also gone through the article These cross domain XMLHttpRequest fails to reach the actual server . This is quite different than my case in the sense mine is in same domain.
Can anyone help me on this with possible solutions ?