Domino, CORS and the OPTIONS request

4
votes

I'm working on an AngularJS app that uses Domino as a backend. Since I want more customization options than Domino Access Services (DAS) gives me, my next choice was the REST Service from the Extension Library.

The app is running on a separate domain from Domino, so I need to add CORS headers to make that scenario work. With CORS, the browser (for some requests) first makes a preflight HTTP OPTIONS request to the server to check what methods are allowed (more on CORS here: http://www.html5rocks.com/en/tutorials/cors/).

The problem I now run into is that Domino throws a Method Not Allowed error (response code 405) on that OPTIONS request. I already added it to the list of allowed methods in my internet site document (although I'm not sure if the REST service will honor that at all). The request comes through fine with DAS.

Looking at the source code of the RestDocumentJsonService in the Extension Library it seems that the OPTIONS method isn't supported at all.

Any thoughts on how to make this work? Or for a workaround? I know that I can write my own servlet or install a proxy in front of Domino, but I don't want to go that route (yet ;-)

2
xpageslotus-dominoxpages-extlib
Have you tried to overwrite the content type of the POST request to 'application/x-www-form-urlencoded', 'multipart/form-data', or 'text/plain'? This prevents browsers from sending a preflight request.Sven Hasselbach
That doesn't work (for the xe:restService component): it throws an error saying that the Content-Type has to be application/json (for POST requests, as well as PUT and PATCH).Mark Leusink
If you really want to add the OPTIONS method in the RestDocumentJsonService, you could extend it overriding only what you needed and then use it as a custom Service in the Extension Library's Rest ServiceToby Samples
I'll explore that a bit. It does mean that I can't simply use one of the configurable REST services, set (for example) the correct view and be done :(Mark Leusink

2 Answers

3
votes

If you are trying to use Authenticated CORS you will need minimum four headers to work

Access-Control-Allow-Credentials: true
access-control-allow-header: X-Requested-With, Origin, Accept, Accept-Version, Content-Type
access-control-allow-method: OPTIONS, GET, PUT, POST, DELETE, PATCH
access-control-allow-origin: http://yourOtherDomain.com

Unfortunately you can only add 3 headers through the Web Site documents

You cannot add anything through a Phase Listener because the ExtLib Rest Services do not go through the XSP Phases

You can use a proxy such as nginx or in my case I used IHS

http://xomino.com/2014/04/20/adding-custom-http-headers-to-domino-r9-using-ibm-http-server-ihs/

Or you can just roll your own REST service and add whatever headers you want

0
votes

Mark, just a quick comment. I am not sure if this would work for you.

But what I do in a current project is to put the Angular app in the WebContent folder of the NSF. This serves several purposes - one of them being ease of deployment with the right version of the backend code in the same NSF. I have set the database up for source control and edit the Angular part directly in the on-disk project of the NSF and just sync them when I need to run it. As a side effect this setup will also solve any CORS issues as client side code is launched from the same domain as my REST service is called from ;-)

/John