JavaScript Search CORS Errors

Modern browsers respect the same-origin policy to restrict how a document or script loaded from one origin can interact with a resource from another origin and therefore prevent some Cross-site Request Forgery attacks. The Cross-Origin Resource Sharing (CORS) mechanism provides a way for web servers to securely support cross-site data transfers.

The Coveo JavaScript Search Framework makes HTTP requests to the Search API. Whenever the search requests are or appear to be made from a domain other than the one where the Search API resides, the client side, the server side, and anything in between (such as a proxy) must be configured to work together to support CORS.

You typically see the Oops! Something went wrong on the server. If the problem persists contact the administrator message rather than search results when a cross-origin restriction blocks the communication between your Coveo JavaScript Search page and the Coveo Search API.

Error When Opening a JsSearch Page From the File System

You can open a Coveo JavaScript search page directly from the file system by simply double-clicking its file in Windows Explorer. This is useful to quickly test the search page. The URL in the browser is then of the following form:

file://[Drive]:/path/to/the/file/myJsSearchPage.htm

Symptoms

When directly opening the search page file, you see the Oops! Something went wrong on the server message rather than the expected search results page.

In your browser Console, you see the following error message:

XMLHttpRequest cannot load http://myserver/rest/search/?errorsAsSuccess=1. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access.

This error occurs if you are opening the file on any computer, even on the same computer where the Search API is running. Frustrating!

Possible Cause

You configured your on-premises Coveo Search API as a Windows service and allowed access from all domains (allowedDomains: "*" - see Windows Service Configuration File). However, when you open a Coveo JavaScript search page directly from the file system, because no web server is serving the page, the origin domain is not set and appears as being null.

As the above error message indicates, the browser enforces the same-origin policy and denies access for null origins when the Coveo Search API the search page communicates with is set to allow access from all domains and the credentials flag is enabled. The Coveo JavaScript Search Framework enables this flag by default because it is required for WIndows Authentication.

Possible Solutions

Solution 1

When you do not need Windows authentication, you can prevent the Coveo JavaScript Search Framework from enabling the credentials flag by adding and enabling the anonymous option to the search endpoint definition (see Coveo.SearchEndpoint Class).

In the script where you define the searchEndpoint, add the anonymous: true option:

Coveo.SearchEndpoint.endpoints["default"] = new Coveo.SearchEndpoint({
    restUri: 'http://someserver/rest/search',
    anonymous: true
})

The credential flag is no longer true, so the browser allows the communication.

Solution 2

Open the search page using a web server.

On a Microsoft Windows with Internet Information Services (IIS), you can simply unzip the CoveoJsSearch.zip file to the following folder:

C:\inetpub\wwwroot\CoveoJsSearch

and quickly get the Coveo JavaScript Search page served by IIS using a URL of the form:

http://myserver/coveojssearch/mysearchpage.html

The origin is no longer null, so the browser allows the communication.

Internet Explorer: a JsSearch Page Indefinitely Loads

Symptoms

A Coveo JavaScript Search page appears to indefinitely load, showing only the loading animation, no search results appear.

The Internet Explorer console reports the “Access is denied” message for the CoveoJsSearch.js file.

Possible Cause

Internet Explorer has a concept of Security Zones that provides protection for intranet and trusted sites from requests originating from normal internet sites (see Internet Explorer - Security). Addresses located inside the company network are normally automatically included in the Local Intranet zone. Sites from the Internet zone are not allowed to send requests to servers inside either the Local Intranet or Trusted Sites zone.

A Coveo JavaSCript Search page sends HTTP requests to a Coveo Search API. Depending where the systems hosting the IE opening the search page and the Search API are located, IE can deny the access based on security zones rules.

For a Coveo Javascript Search page in the context of Coveo for Sitecore, a missing HTTP request header in IIS may be the cause (see JavaScript Search CORS Errors).

Possible Solutions

Solution 1

When you are using an on-premises Search API instance and your users run the Coveo JavaScript Search page from one or only a few domains, relocate or install another instance of the Coveo REST Search API in the domain(s) from which your users run the JavaScript search page (see Installing the Windows Service).

Solution 2

  • For requests between intranet subdomains

    The Search API can be hosted on a server that is in your organization network, but in another subdomain from the computer running IE. This subdomain may not be automatically included in the Local Intranet zone.

    Adding the Search API server to the Local Intranet zone may allow the access:

    1. In Internet Explorer, click the Tools icon or press Alt-x, and then select Internet options.
    2. In the Internet Options dialog box, select the Security tab.
    3. Select Local intranet, and then click Sites.
    4. In the Local intranet dialog box, click Advanced.
    5. In the Websites list, add an entry (with or without wildcards) that includes your Search API server.
    6. Close all dialog boxes to make changes effective.
    7. Reload the search page to validate that the access is now authorized.
  • For requests from the Internet to your organization domain

    The Search API can be hosted on a server that is in your organization network, while the JavaScript Search page runs in IE from a domain on the Internet.

    Your user search from the Coveo integration in Salesforce (from salesforce.com) through an on-premises Search API to an on-premises index, both installed in your organization domain (mycompany.com).

    Adding the search page domain to the Trusted Sites zone may allow the access:

    1. In Internet Explorer, click the Tools icon or press Alt-x, and then select Internet options.
    2. In the Internet Options dialog box, select the Security tab.
    3. Select Trusted sites, and then click Sites.
    4. In the Local intranet dialog box, click Advanced.
    5. In the Websites list, add an entry (with or without wildcards) that includes your search page domain.
    6. Close all dialog boxes to make changes effective.
    7. Reload the search page to validate that the access is now authorized.

The above solution can fix the problem in one computer, which is OK in the development phase for test purposes, but not for IE in the workstations of all production users. In a Windows environment, an IT department could distribute this configuration using Group Policy Object (GPO) (see Group Policy).