Product

Problem Description:

User gets the following errors when launching or uploading files using the Assetwise web client in a high availability (HA) environment:

Access to XMLHttpRequest at ... from origin ...has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Refused to display.../Framework/Endpoint/DownloadFile...in a frame because it set 'X-Frame-Options'...to 'sameorigin'.

Cause:

By default, enhanced browser security does not allow Cross-origin resource sharing (CORS), which is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. CORS policy may block resources requested from another server (URL) within the same domain.

Solution:

1.Make sure the domain name(s) of all the Assetwise web servers, and that of the load balancer, are included in the "Content-Security-Policy" line of all the web.config files. For example if the Assetwise servers are in the "Bentley.com" domain, then your line will looklike this:

<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' *.bentley.com https://AssetwiseServer01.Bentley.com/ALIM/; font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com 'unsafe-inline'" ></add>

2. In each of the web.config files, in the <SiteUrl> section, make sure the line refers to the individual Assetwise server (a NOT the load balancer). For example:

 <SiteUrl>
          <add siteName="Main" community="Assetwise01" url="https://AssetwiseServer01.Bentley.com/ALIM" />
 </SiteUrl>

Workaround:

(Not recommended) Set your browser to be working in disabled security mode so that it does not enforce same origin policy.

Bentley Internal: https://www.yammer.com/bentley.com/#/Threads/show?threadId=605593521668096

SR 7001032219