Share via

[Solved] Web request from Azure DevOps Server extension to own REST API, origin header is null (CORS with credentials)

Jonas M. B 5 Reputation points
2023-02-02T13:09:24.8766667+00:00

Hi,

We embed an extension on work items, in this extension is a button that allows you to register time in our internal time registration system.

Clicking the button sends a CORS web request and the user then has to answer a 401 challenge with basic auth.

This works in Firefox and Edge, but not in chrome (used to, but not since upgrading from Azure DevOps Server 2019 to 2022).

We suspect that the issue is due to the origin header of the request being null, the user does not get an opportunity to enter credentials and is instead met with an instant 401 (again, only when using Chrome).

Is there a way to have the domain set to match the URL of our Azure DevOps Server instance (e.g. prefix-company.com)?

We've noticed that the sandbox properties of the iframe that embeds the extension does not include the "allow-same-origin" property, is there a way to add this property to the iframe?

Community Center | Not monitored
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jonas M. B 5 Reputation points
    2023-02-22T14:38:55.04+00:00

    We managed to find a way to add the "allow-same-origin" property to iframes.

    The script responsible for setting iframe properties on on-premise setups can be found in this bundle: Contentbundle=vss-bundle-common-vGHXheZgS3hyMaUbzls41rxhWznakbcMb0Pqw4EJu1BA=

    The script can be found by navigating to a work item, opening developer tools & checking sources like so:User's image

    Step 1:

    Download the file and add "allow-same-origin" to the sandbox properties (file is big so use ctrl+f to find the relevant line). Use the same file name (so Content?bundle=vss... yes, it's a long one)

    pre-edit:

    User's image

    post-edit:

    User's image

    Step 2:

    Save the edited file somewhere on your server like so:

    User's image

    Next add the following redirection rule to "Azure DevOps Server" - not "tfs", this will redirect to your new javascript file with "allow-same-origin" added to the properties (remember to adjust the path to the file!)

    User's image

    Your web requests should now have a proper origin, instead of origin = null.

    This solved our issue and we are now able to send credentials with web requests made from our extension.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.