AVEVA™ Products Feedback Portal

Welcome to our new feedback site!


We created this site to hear your enhancement ideas, suggestions and feedback about AVEVA products and services. All of the feedback you share here is monitored and reviewed by the AVEVA product managers.

To start, select the product of your interest in the left column. Then take a look at the ideas in the list below and VOTE for your favorite ideas submitted by other users. POST your own idea if it hasn’t been suggested yet. Include COMMENTS and share relevant business case details that will help our product team get more information on the suggestion. Please note that your ideas will first be moderated before they are made visible to other users of this portal.

This page is for feedback for specific AVEVA solutions, excluding PI Systems and Data Hub. For links to these other feedback portals, please see the tab RESOURCES below.

Add a new idea Subscribe
Status Submitted
Portfolio area Historian & Client
Created by Jake Hawkes
Created on Apr 7, 2026

RELATED IDEAS

Historian CORS allowlist should also work for desktop applications

ADO Work Item #4695422 — Historian CORS allowlist is not working as expected
https://dev.azure.com/AVEVA-VSTS/_workitems/edit/4695422

RESOLUTION

This issue is working as designed, and to support a desktop-style application to use this interface requires changes to the middleware between the request gateway and the API endpoint, which can only be considered for a major release, is therefore considered an enhancement which needs to therefore be prioritised against all other requests.

The proposed enhancement would entail:

1. Introduced dedicated early OWIN middleware for CORS handling.

2. Loaded allowed origins from CorsSetting.json.

3. Validated incoming Origin values against the configured allowlist.

4. Applied the required CORS headers for valid cross-origin and preflight requests.

5. Prevented downstream services from overwriting gateway CORS headers.

6. Reapplied final CORS headers before sending the response.

7. Verified that configured origins now work correctly while normal non-CORS OPTIONS requests continue through the pipeline.

DESCRIPTION

Historian CORS allowlist is not working as expected
I have reproduced the issue with simple cors allow list
<!DOCTYPE html>
<html>
<head>
<title>Call Java REST API</title>
</head>
<body>
<h2>Get User Data</h2>
<button onclick="callApi()">Fetch Data</button>
<pre id="output"></pre>

<script>
function callApi() {
const username = '***********';
const password = '**************';

// Encode credentials to Base64
const encodedCredentials = btoa(`${username}:${password}`);

fetch('http://10.0.0.4:32569/historian/v2', {
   method: 'GET',
   headers: {
       'Authorization': `Basic ${encodedCredentials}`,
       'Content-Type': 'application/json'
   }
})
.then(response => {
   if (!response.ok) throw new Error('Network response was not ok');
   return response.json();
})
.then(data => console.log(data))
.catch(error => console.error('Error:', error));
}
</script>
</body>
</html>

The logger shows it matches the CORS policy
SetCORSPolicy:Request.Headers.Get:http://10.0.0.5
AllowedUrls:http://10.0.0.5,http://CLIENT,http://CLIENT:80,http://10.0.0.5:80,http://10.0.0.5/Dashboard,http://CLIENT/Dashboard
Found:True
 ContextRequestUri: http://10.0.0.4:32569/historian/v2
/favicon.ico:1 Failed to load resource: the server responded with a status of 404 (Not Found)
home.htm:1 Access to fetch at 'http://10.0.0.4:32569/historian/v2' from origin 'http://10.0.0.5' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
10.0.0.4:32569/historian/v2:1 Failed to load resource: net::ERR_FAILED
home.htm:31 Error: TypeError: Failed to fetch
  at callApi (home.htm:19:1)
  at HTMLButtonElement.onclick (home.htm:8:29)
(anonymous) @ home.htm:31

home.htm:1 Access to fetch at 'http://10.0.0.4:32569/historian/v2' from origin 'http://10.0.0.5' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
home.htm:19 GET http://10.0.0.4:32569/historian/v2 net::ERR_FAILED
callApi @ home.htm:19
onclick @ home.htm:8
home.htm:31 Error: TypeError: Failed to fetch
  at callApi (home.htm:19:1)
  at HTMLButtonElement.onclick (home.htm:8:29)
(anonymous) @ home.htm:31
Promise.catch
callApi @ home.htm:31
onclick @ home.htm:8

STEPS TO REPRODUCE

Just write a simple REST API call from two nodes.

/favicon.ico:1 Failed to load resource: the server responded with a status of 404 (Not Found)
home.htm:1 Access to fetch at 'http://10.0.0.4:32569/historian/v2' from origin 'http://10.0.0.5' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
10.0.0.4:32569/historian/v2:1 Failed to load resource: net::ERR_FAILED
home.htm:31 Error: TypeError: Failed to fetch
  at callApi (home.htm:19:1)
  at HTMLButtonElement.onclick (home.htm:8:29)
(anonymous) @ home.htm:31

home.htm:1 Access to fetch at 'http://10.0.0.4:32569/historian/v2' from origin 'http://10.0.0.5' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
home.htm:19 GET http://10.0.0.4:32569/historian/v2 net::ERR_FAILED
callApi @ home.htm:19
onclick @ home.htm:8
home.htm:31 Error: TypeError: Failed to fetch
  at callApi (home.htm:19:1)
  at HTMLButtonElement.onclick (home.htm:8:29)
(anonymous) @ home.htm:31
Promise.catch
callApi @ home.htm:31
onclick @ home.htm:8

  • Attach files