[Review] Map Layers widget - Map layer validation failed for URL

How to add WMS services as background? 
All services I try end with "Map layer validation failed for URL" error.
Is it because of CORS?

Parents Reply Children
  • Hi Oto, I have tried to access your URL and by hitting F12 to launch the developer console, I can confirm that it is a CORS policy problem.

    You need to configure (whitelist) your WMS server to accept the URLs coming from the Bentley App you use to access your iModels:

    For the Bentley CONNECT portal:


     If you launch through the iTwin Design Review Hub, this address must be added:


     If you launch it through the iTwin Hub, this address must be added:



  • Then this renders this feature unusable if public and opendata WMS can't be used.
    Then why Ron example works?

  • Hi. No, I don't believe that statement to be true. Ron's example works because that server supports CORS. When the browser sends the Origin: header, the response contains a proper Access-Control-Allow-Origin response. That satisfies the browser's concerns about CORS. When presented with an Origin: header, your WMS server does not provide a Access-Control-Allow-Origin response. The browser takes this as a refusal from your server to respond to this particular request. CORS is a protection mechanism against malicious web pages that would do cross-domain requests without your consent. Bentley did not invent this. I suggest you look at document on the internet, like this one for example: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS . 

    Making a (WMS) web server public simply means making it CORS-compliant and whitelisting the proper origins, or "*" in the case of a public site. 

    Your server will work fine as it is today when it's called directly, or from another executable program. Only web browsers apply CORS rules. iTwin applications like Design Review are web applications and as such are bound to respect the CORS rules. We have built our WMS and in general map layers support so that requests are made from your browser instead of going through another Bentley cloud service first. Although that would have removed the CORS problem, it would have slowed down each request. More importantly, it would have prevented access to on-premise WMS or Esri REST services when they are not accessible publicly. The current solution supports both on-premise private servers as well as public services, as long as CORS is configured. 

    Hope this helps.


  • How to verify if WMS server is CORS-compliant? I do not see such response from .au server.

    I would gladly use on-premise WMS but Bentley no longer have such product so have to rely on 3rd party servers.

  • It seems the server only returns the Access-Control-Allow-Origin header in its response if it has received a Origin header in the request. Typing the address directly in your web browser will not add an Origin header since it is the original request. The CORS system is for web requests that are done within the code of a web page, in case they go to a different domain. 

    The way I've simulated it is by using an http tracing application (debugging proxy) that let me replay past requests and edit them. I was able to manually add an Origin header with a fake domain to verify if CORS was supported.