Wt

Hello Alex,

Wt should always define a couple headers at least, for ALL its responses.
I quickly checked the output of curl -I on the widget gallery. This give me a 400, as this sends a HEAD request. I believe curl -X GET -I should be what you are looking for.
This correctly return 200 (or a 302 in case an internal path is necessary).

I hope that helps!

Best,
Matthias

Thank you for your reply. The real problem I am facing is that while using WidgetSet for embedding my application into a customer webpage I get CORS errors (Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at .. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)). Could the reason be the failing HEAD request?

You are likely missing an entry in the allowed-origins property. A WidgetSet application will be used inside another website. To ensure that not just any page can embed the website, CORS is enforced (by the browser). Meaning that if the embedded page and main page have a different host/origin, the main page is by default not allowed to be embedded (for Wt applications). The allowed-origins property inside the wt_config.xml file allow you to specify origins that are allowed to embed the page. That way you can be sure that any access to the page happens through any endpoint you define.

The value is a comma-separated list in a string form. E.g. <allowed-origins>https://www.example.com,https://subdomain.example.com</allowed-origins>.

That should prevent the CORS issue from popping up. If you have any further issues, let me know!

Matthias, thank you for your help. I used * all the time, but for some reason, it did not work for me. Setting "allowed-origins" to the domain of the embedding website solved the issue.

However, I still don't understand why the HEAD request fails with "400 Bad Request". Running curl -I http://webtoolkit.eu returns 301 just like any other webpage I tested.