SAS REST APIs: Cross-Origin Resource Sharing

SAS Viya servers can provide support for Cross-Origin Resource Sharing (CORS), a technique enables Javascript on a web page to consume a REST API served from a different origin. CORS is implemented when a server is configured to include additional HTTP headers to let a user agent access selected resources from a server on a different origin (or domain) than the site currently in use. A user agent makes a cross-origin HTTP request when it requests a resource from a different domain, protocol, or port than the one from which the current document originated.

In the simplest scenario, cross-origin communications starts with a client making a GET, POST, or HEAD request against a resource endpoint on the server. The request includes an Origin header that indicates the origin of the client code. The server considers the request's Origin and either allows or disallows the request. If the server allows the request, then it responds with the requested resource and an Access-Control-Allow-Origin header in the response. This header indicates to the client which client origins should be permitted to access the resource. Assuming that the Access-Control-Allow-Origin header matches the request's Origin, the browser allows the request.

If Access-Control-Allow-Origin is missing in the response or if its value does not match the request's Origin, the browser disallows the request.

If you want to enable developers to utilize SAS Viya REST APIs in web applications, you must enable CORS support in the SAS Viya environment using SAS Environment Manager. To configure or update the setting:

1. Log into SAS Environment Manager and assume administrator privileges. Note that you must have an account that is authorized as a SAS Administrator to perform these actions.
2. Select Configuration on the main SAS Environment Manager page.
3. Select Definitions from the View menu on the Configuration page.
4. Select sas.commons.web.security.cors from the list of configuration definitions.
   • Click the New Configuration button if you are setting the CORS options for the first time.
   • Or click the pencil icon to edit an existing CORS definition.
5. Make sure that allowCredentials is enabled. Set the allowHeaders, allowMethods, and allowOrigins properties to * (or wildcard) to accept all values. Specify a comma-separated list of values for each setting that are enabled by default in cross-origin requests.
6. Click Save to complete the configuration.

That's it. The CORS setting is in effect for all services supporting the SAS Viya REST APIs.