Whether you are working with Data-Driven Content objects in SAS Visual Analytics reports,  creating a web page using the newly available SAS Visual Analytics SDK (available with SAS Visual Analytics 8.4), configuring an external proxy server for your SAS Viya environment or giving access to REST API's to external applications, you might get errors related to Cross-Origin Resource Sharing (CORS).

A few questions may come to mind:

• What is CORS?
• Why are you getting those errors?
• How can you configure your SAS Viya environment to avoid those errors?

This is what I will cover in this article.

Cross-Origin Resource Sharing (CORS)

Let's first describe what Cross-Origin Resource Sharing are used for.

Web browsers are enforcing HTTP requests to come from the same domain for security reasons. CORS is a mechanism implemented to tell the browser that it is fine to let a web site on domainA access resources on domainB. To allow this, the web server should send extra information in the HTTP header:

1. Telling the browser that is fine to access resources from another domain.
2. Telling which domain(s) are accepted.

More information

Now that you have a better understanding about what CORS is. You might wonder why it is important for SAS Visual Analytics. Here are some situations:

• When working with Data-Driven Content objects (as in this example), the html files must be hosted on a web server. The web server can be the one configured with SAS Viya or another web server located on another machine. When using the web server configured with SAS Viya, there is no problem as all the HTTP requests will go through the same web server which means that they will all originate from the same domain. When using a web server located on another domain, the requests are refused by the browser as HTTP requests will originate from different domains.
• When developing web pages that are using the SAS Visual Analytics SDK, you can also store the files on the web server configured with SAS Viya or on another web server. As in previous example, when files are stored on the SAS web server, everything runs smoothly. When the files are stored on another domain, the browser complains.
• If you want to configure an additional proxy that is not hosted on the same domain as the SAS Viya environment, you might also encounter problems as described in the following SAS Note.
• SAS Viya gives the opportunity for non-SAS developers to call REST API's to access SAS resources. Most probably, the REST API's calls will come from a machine that is not on the same domain as the SAS Viya environment.

In these situations, you need to configure SAS Viya to send information in the HTTP header confirming it is fine if HTTP requests are coming from another domain.

How do you configure SAS Viya?

The process is described on https://developer.sas.com/reference/cors/  but I will describe it here with screenshots.

Not all users can change the property. To change the value, the user needs to have Administrative privileges.

1. Connect to SAS Environment Manager using a URL similar to: https://myViya.sas.com/SASEnvironmentManager

    

2. When prompted for Assumable Groups, select Yes. If you don't get the following prompt, it means you don't have the necessary rights.

    

   

   Select any image to see a larger version.
   Mobile users: To view the images, select the "Full" version at the bottom of the page.

    

3. Once in SAS Environment Manager, expand the Task bar and select Configuration

    

   

    

4. In the Configuration pane, select Definitions as View and type CORS in the search box

    

   

    

5. Select sas.common.web.security.cors

    

6. Click on New Configuration

    

7. In the prompt, select allowedOrigins and set the domain you want to allow and hit the Save button.

    

   

    

8. Restart the SAS Viya environment.

What value should be used for the allowedOrigins property?

You can set it to * as indicated in the interface. Is it a good practice? I would say no as it would open access to any domain and basically turn off the CORS security. If you have an exhaustive list of domains that are allowed to access the web server, you should enter those domains separated by a comma. An example of how the value might look like:

https://mydomainA.com, https://mydomainB.com, https://mydomainC.com

If you want to allow all the machines on a specific domain, you can use wildcards like this:

*.sas.com

Conclusion

Now you know now how to configure CORS. And now your REST API's, Data-Driven Content objects and SAS Visual Analytics SDK requests from the different domains will be successful without error. There should be no need to change the CORS value unless you want to add or remove domains.

This configuration is not complex but it should be done properly to avoid giving access to too many machines. It is the administrator's responsibility to set the values properly. As Spiderman learned: "With great power comes great responsibility."