azure-sdk-for-js: [Service Bus] `ServiceBusAdministrationClient` Browser requests do not work unless web security is disabled
The ATOM management API currently don’t work in the browser unless web security is disabled.
- This is due to a CORS policy error and it looks like the response headers are not being set properly.
Specifically ->
Access-Control-Allow-Origin - For requests that go via the Azure Portal, this gets set to
https://ms.portal.azure.comby the service. - More investigation is needed by service team; we may need a plan and security threat analysis to address the changes required for this implementation to work in browser for our users.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 17 (11 by maintainers)
Commits related to this issue
- [Service Bus] Mention "CORS not supported" in readme (#12341) ### Issue https://github.com/Azure/azure-sdk-for-js/issues/4983 — committed to Azure/azure-sdk-for-js by HarshaNalluru 4 years ago
@Jose-27
Unfortunately I’m still a bit stuck on this. The only solution that I have seen mentioned is have a proxy between the two.
Hey @TyreeceSimpson
This would require a change from the service side and we don’t have an ETA on that. We will try and get this out of their backlog and update this thread if there is any progress
Anybody who’s trying to use
ServiceBusAdministrationClientdirectly through the browsers would run into this issue(blocked request), not just testing. If the service lets users manage/enable CORS rules or allow all the origins by default(*), this issue will be resolved. Another option is to launch the browser by providing a flag to disable web security, which is not ideal since it is not as secure.Talked to @sadasant on this.
Thoughts after the discussion: Ideally, the service should provide an option to the users to set the CORS policy on the namespace similar to what storage does.
https://docs.microsoft.com/en-us/rest/api/storageservices/Cross-Origin-Resource-Sharing--CORS--Support-for-the-Azure-Storage-Services?redirectedfrom=MSDN
For testing, we can continue with --disable-web-security flag in karma conf until the service supports enabling CORS rules.