5

We've changed the CORS options on our existing azure-search index to "allow all origins" but the querying the api from the browser still throws the "No 'Access-Control-Allow-Origin' header is present..." exception.

Are there some specific parameters we are missing or are there some more global CORS settings in Azure that are overwriting the settings on the index?

Thanks.

mpetar92
  • 75
  • 1
  • 7
  • Which origins have you added to your cors options? Are you accessing it from the same domain? – RoteS Jan 18 '16 at 20:23

4 Answers4

4

I solved it on my end.

Since you getting error 403: forbidden, it's possible the browser is assuming it's a CORS issue. However, in my case, I was getting that error from Postman as well. My issue was that I wasn't adding the API key to the url:

&api-key=YOURAPIKEY

https://NAMEOFYOURSERVICE.search.windows.net/indexes/YOURINDEX/docs?api-version=2015-02-28&search=SEARCHQUERY&api-key=YOURAPIKEY

And to find your API key, check out the image below. I had 3 keys to try to find that the last one worked...

enter image description here

mogile_oli
  • 2,148
  • 2
  • 21
  • 21
2

RE: The accepted answer showing the Keys screen. There are two types of api-keys: Admin and Query.

  • Admin keys can only be specified in the HTTP request header.
  • Query keys grant read-only access in an index and can be specified in either the HTTP request header, or in the as a query parameter in your URL.

The third key that mogile_oli tried and which worked was a Query key.

Exposing an Admin key (the first two mogile_oli tried) as a query parameter in a URL would be a security risk!

See the section labeled Authentication and Authorization in the topic Azure Search Service REST.

A Dudsic
  • 21
  • 2
0

It all worked out for some reason when we changed the resource group of the search instance.

mpetar92
  • 75
  • 1
  • 7
0

Most likely the old CORS settings were being cached on the client side. The default time to live is 5 minutes unless you set maxAgeInSeconds.

Bruce Johnston
  • 8,344
  • 3
  • 32
  • 42
  • We waited for more than that, but it was still not sending the CORS headers correctly, even thou we set maxAgeInSeconds to 300, yet changing the resource group seemed to have fixed the problem somehow. – mpetar92 Jan 18 '16 at 22:29
  • The CORS implementation in Azure Search is unrelated to resource groups, so that was likely a coincidence. Which browser were you using? – Bruce Johnston Jan 19 '16 at 01:25
  • I'm seeing the same issue. I changed the resource group (although it shouldn't be related) but it did not help. The issue is not resolved on my end but I will keep you posted. – mogile_oli Sep 21 '16 at 19:07