Skip to Content
Author's profile photo Former Member

Get around cross-origin issues in your JavaScript applications using a proxy

Hi,

if you develop JavaScript applications you are surely aware of the same-origin-policy of browsers. This limits the application to request resources only from its own domain, while requests to any other domain will be blocked.

To solve this, you have one of two choices: either follow the CORS standard supported by the good guys of the browsers (guess what – the usual suspects of browsers don’t support it), or use a proxy within your Web application which is able to dispatch requests to resouces of other domains.

For the CORS approach, there is already a nice blog from Joanna Chan here in SCN. CORS is a good choice if you don’t need to support older browsers, like IE version 8 or 9, and if you are able to securely control the allowed originating domains in your server application or service.

If you can’t use the CORS approach for your scenario due to browser or security limitations, the other choice is to use a proxy within your Web application. For this, we have released a Connectivity Proxy component on sap.github.io under Apache License v2. This component provides a simple Java proxy servlet that makes use of the SAP HANA Cloud Connectivity Service to dispatch HTTP requests to resources from other domains. Using the Connectivity Service, the proxy is also able to dispatch to on-premise resources, using  Destinations and the SAP HANA Cloud Connector. By this you can easily call, for instance, SAP NetWeaver Gateway systems which are located in a secured network from your JavaScript application running in the cloud.

Check out the sources and further documentation directly on github. As we follow an open-source approach here, you are also welcome to propose changes or extensions in case you spot areas in the proxy which shall be improved.

Assigned tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo L. van Hengel
      L. van Hengel

      Hi Timo,

      Thanks for releasing this ProxyServlet on GitHub. I just used it to connect a SAPUI5 application to my local Gateway system using Destinations. It works like a charm 🙂

      Cheers,

      Leo

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Leo,

      good to hear 😳 . In case you find something to be added, please let me know.

      Regards, Timo

      Author's profile photo Sascha Wenninger
      Sascha Wenninger

      Very cool! I have to admit I didn't even know about sap.github.io 🙂

      And of course, thank you very much for sharing!!

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Today we released version 0.1.2. of the connectivity proxy on github which adds some improvements in the security area:

      • You now need to whitelist the destinations used by an application on servlet level. This prevents that unintended destinations can be called by the client application.
      • We added an abstract class SecurityHandler which is meant to handle additional security related tasks. As of today, it provides a method used to filter out response headers sent by the backend to the proxy which should not be passed through to the client.

      If you use the connectivity proxy in productive scenarios, we recommend to ugrade to the new version.

      Best regards,

        Timo

      Author's profile photo Geoffrey Mantel
      Geoffrey Mantel

      Hi Timo - while the .docx instructions on github have been updated to include the new whitelist destination syntax, the .pdf instructions still need to be refreshed to reflect the new syntax:

        <url-pattern>/proxy/yourDestinationName1/*</url-pattern>

        <url-pattern>/proxy/yourDestinationName2/*</url-pattern>

      Thanks for this tool!

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Geoffrey,

      thanks for the hint. I will update the pdf soon with the correction.

      Regards, Timo

      Author's profile photo Priyal Choubey
      Priyal Choubey

      Hi Tim

      Thanks for Connectivity servlet, its really helpful.

      I am using this to develop a UI which access the ODATA service from "cloud for customer" system. i am able to configure this for local testing but on cloud with https url i get "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" exception and with http request i get "502 bad Gateway"

      This issue might not be related to the cross origin issue but can you help me with this?

      Regards

      Priyal

      Author's profile photo Avital Ben-Natan
      Avital Ben-Natan

      For anyone developing a UI5 client application without Maven, Java, or Eclipse. Demoed here is a very light weight approach with Node.js (a sample included for working behind corporate proxy) and an even lighter weight browser based approach using request high-jacker and corsproxy.com