Skip to Content
Technical Articles
Author's profile photo May B

Cross Origin access to XSJS API

In this blog we will see how to perform cross origin calls to HANA XSJS APIs or simple terms calling our API from a different application.

Lets first understand what is CORS:
As per [link] Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.

For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. Although we can disable CORS for our testing using the keyword --disable-web-securityon our chrome browser, for a productive scenario it is required to enable cross origin access in a more restrictive manner if the APIs are from different origin.

The example below exactly demonstrates how we can achieve cross origin calls to HANA XSJS APIs this.

We have a xsjs service developed which we are calling using the the ajax call in our UI5 or AngularJS Frontend.

    type: "GET",
    url: "",
    beforeSend: function(xhr) {
        xhr.setRequestHeader("Authorization", "Basic MTAxxxxDIw");
    crossDomain: true,
    dataType: "json",
    success: function(result) {
    error: function(response) {}

A typical response would be:

The headers show “same-origin”

Things are working fine for same origin calls. Now lets try calling the ajax call from a different application. For our test scenario let us consider stackoverflow. On calling the ajax call we get the CORS error:

Access to XMLHttpRequest at ‘’ from origin ‘’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Lets check at the Network tab, we see that the method is changed from GET to OPTIONS:

The request headers show “cross-site” and Origin as “”

Now to allow access for our xsjs for cross domain we need to add the below details in our .xsaccess file:

    "exposed": true,
    "cors": {
        "enabled": true,
        "allowMethods": [
        "allowHeaders": [
        "allowOrigin": [
        "maxAge": "3600"
    "headers": {
        "enabled": true
    "exposeHeaders": [

To allow access from a specific website change the (*) with your Website URL in “allowOrigin” section. Coming to our xsjs service add the headers:

$.response.headers.set("Access-Control-Allow-Origin", "*");

Now lets test again, We see the response from our HANA XS retrieved successfully:

Lets go to network tab, the request method is changed to GET:

And the request headers:

We are now successfully able to access our XSJS API on other platforms.

For more reference you can check:–xsjs-application.html

Anonymous Call to access XSJS service using SQLCC:






Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.