I am trying to run an SAPUI5 JavaScript application to read data from a NetWeaver Gateway OData service. I am running into cross origin policy issues.
My SAPUI5 code is running in a different domain from the OData service. The web service is secured using Basic Authentication (user ID and password).
This is what is happening...
- JavaScript is trying to send a GET request to the web service.
- The Browser sees this as cross origin, so it kicks into something called 'CORS Preflight' and sends an OPTIONS request instead or a GET.
- Since the web service wants authentication data and doesn’t see any, it returns a 401 error to the Browser.
- Fail
I tried rewriting the JavaScript to send an Authentication header. However, the authentication data is never included in the OPTIONS request.
I did some more research, and I found that the CORS specification says two things: 1) OPTIONS shouldn’t require authentication on the server side, and 2) the browser will strip all headers from OPTIONS requests (including the Authentication Header!) before sending the request. Tilt.
It would seem that SAP’s support for CORS is lacking because it is requiring authentication on OPTIONS requests. Is there is something more I can do to get SAP to allow OPTIONS requests to be made unauthenticated?