OK I need some help. I need to make sure I’m not losing my mind.

We are using an ERP which is hosted by another company. We are supposed to be able to access the data via a REST API. This works fine using Insomnia or Postman, but when I attempt to hit the API from my web application, CORS blocks the localhost origin.

I contacted the company’s technical team to request that they change the CORS configuration to allow localhost. They keep running me around in circles telling me that I don’t know what I’m talking about because localhost isn’t a DNS resolvable name and I’m doing something wrong and they don’t need to change any configuration.

They insist that if anything would need white listed, it would be my IP, not localhost.

I sent them screenshots and stack overflow posts and documentation links, showing them exactly what headers need to be set and where the configuration needs to be set in the ERP. They tell me I don’t know what I’m talking about.

They tell me that if I can hit the API from Postman, I can hit it from my browser.

Am I losing my mind? Have I fundamentally misunderstood CORS all these years? I’m sure I’m right. But I’m starting to feel like I’m crazy.

  • 2
    You aren't crazy. It might be your browser (Chrome) which is not allowing to you exempt localhost. Try some other browser? Or disable the check at all? There is a CLI option you will need to pass to disable it

    Plus, why are you hosting the webapp on your localhost and using their API? If it is not for testing purposes, host it in remote site and provide your hostname/IP address for them to add those to the allow header
  • 2
    @asgs well sure I can disable CORS. But eventually more of our users will be using this app. And they shouldn’t all have to do that.

    This is for testing and development purposes.

    The issue is that I can’t even get through to them that CORS needs configured. They literally needed me to explain to them what CORS is, yet claim that can’t possibly be the issue. Even though the error clearly says CORS blocked the request.
  • 2
    I clearly remember that our CORS config had http://localhost:3000 and http://localhost:3001 addresses in it. It doesn't needs to be an IP address.
  • 3
    @hack Thank you!!! That’s what I’m trying to tell them. Their “Senior Tech” literally asked me “what is CORS?” when I brought this up. And yet, not understanding why the issue even is, they tell me up and down that I don’t know what I’m talking about to the point that I’m starting to doubt myself.
  • 2
    Is there a proxy in the middle? Adding localhost as an allowed origin doesn't make much sense to me unless there is a proxy that accepts the external request and then forwards it to another port over the localhost network.
  • 2
    @cmarshall10450 No. I’m just attempting to hit the API directly. I can fire up a reverse proxy myself and forward requests that way, but the REST API is supposed to be configured to allow localhost, according to the ERP documentation. Or rather, they recommend allowing any origin. Do you mind elaborating a little more on why that wouldn’t make sense to you? I’m open to the idea that there’s a better way.
  • 1
    hmm, have you tried sending a preflight options request with your origin in it?

    also is this the official ERP API you're using or are you trying to use their internal api that isn't supposed to be accessed from outside?

    Is this an electron app? Because if so, there are ways to handle this. Specifically you can capture the response and update the CORS headers before they hit the browser instance, which allows you to bypass it...

    But if this is a browser app then that's sus. I'm not sure if localhost should really be an allowed origin. Browsers are designed to be safe boxes for the users. If any website can just hit the erp api from any users browsers than that's kinda not ok. There's even a special case in CORS when you're sending any type of credentials, like in cookies or authorization header, that is *required* to contain an origin.

    So are we talking actual user level browser, or an app like chrome app or electron that uses a browser as an engine?
  • 0
    wtf are you talking about? why do you need localhost at all?

    They give you a url:


    You post to it in postman/cli as

    -x POST http://api.erp.com/v1/post

    Where and why did this change to:

    -x POST http://localhost/v1/post


    Is your app acting as a proxy? this is silly. I can understand why they are frustrated with you.
  • 0
    CORS exists for browser users' safety. Tools like Postman or http libraries ignore missing CORS headers. And you're right, the header's called "Access-Control-Allow-Origin", not "Allow-Domain", localhost or IPs are totally fine if necessary.

    As long as you don't plan on talking to the API through the browser, but through your own server backend or application, you're good without CORS. Just can't test it in the browser.
  • 1
    @Nihil75 I think he's saying he's got a React app or something running on localhost and wants it to post directly to the api. And he can't read the response because of missing cors headers.
  • 1
    @Nihil75 I don’t think you understand what’s going on here at all. My app is rubbing on https://localhost:7283. When I try to hit https://api.com, CORS blocks the origin localhost. Nothing to do with calling localhost.
  • 0
    @Hazarth This is the official API. The ERP developer specifically recommends allowing any origin in order to hit the API. The people I’m struggling with here is the partner/vendor hosting the instance for us. (Note, this is a dedicated instance. Not one they use for all their customers.) And this is an actual browser level application. Not electron.

    And my preflight request that’s being blocked.

    Maybe just hitting a reverse proxy is the way to go. Just sucks having to maintain an extra piece ourselves, and being unable to even get through to them what I’m suggesting happen.
  • 0
    @localpost Hmm yeah I’m thinking more and more maybe I need to just reverse proxy it so I can get around CORS. I have a proxy set up and it works fine. I just don’t like having to do that when the ERP developer officially recommends allowing the origin in CORS.

    But maybe that’s the way to go. Thank you!
  • 0
    @MySlugLikesSalt Idk exactly how this works. You're paying someone to host the ERP instance but you don't get access to its settings?
  • 0
    @MySlugLikesSalt Also, does the software use per-user credentials like a Microsoft account or something, or do you authorize your POSTs with some sort of client secret that was maybe never meant to be used in a browser?
  • 1
    @localpost Yes. Correct. It’s a setup I think is really dumb, but it’s not my call. However, we were told they would do whatever they needed to for us to get API access. We paid… well. I’m not sure I’m allowed to say exactly how much. But over $9k USD to get access to *talk to* this guy who needed me to explain to him what CORS is.

    And these are per-user credentials. The server returns an ASP.NET authorization cookie.
  • 1
    @localpost And it’s for sure meant to be used in a browser. Even the official ERP client is a web app running in the browser.
  • 1
    I feel your pain, dude. Here you try to explain why you need to do your webapp in the first place, and useless senior maintaining external system doesn't give shits despite being paid for the ordeal. I would be annoyed as fuck too.

    In the short term, it may be obvious to somehow use a separate testing browser with CORS ignored. But in the long term, make your own API layer/server that communicates with external ERP.
  • 1
    @vintprox ugh… Maintaining our own layer to proxy the requests seems to be the common theme here, so I think that’s the direction I’ll move in. I hate having that extra possible point of failure, but at this point I’m not sure there’s much else I can do. Thanks for your input!
Add Comment