orchestrator
2023.4
false
UiPath logo, featuring letters U and I in white

Orchestrator User Guide

Automation CloudAutomation Cloud Public SectorAutomation SuiteStandalone
Last updated Dec 5, 2024

CORS/CSP Configuration

Web browser access to Amazon and Azure storage buckets can sometimes be restricted due to Cross Origin Resource Sharing (CORS) and Content Security Policy (CSP) settings.

This applies to Orchestrator buckets as well, when Orchestrator's storage is configured to use Azure or Amazon.

The following operations are impaired when accessing bucket content from the Orchestrator UI:

  • Uploading files into a storage bucket
  • Downloading files from a storage bucket.
  • Opening document validation actions or form actions that use images stored in buckets.

    Note: Accessing storage files using activities is not impacted by CORS and CSP policies because they are browser-specific and are validated/enforced at browser level only.

Both CORS and CSP allow whitelisting identified entities in the web application. See below details about each.

CORS

CORS is a mechanism that allows resources on a web page to be accessed across domain boundaries.

Orchestrator web browser access to Amazon and Azure storage buckets can be restricted due to same-origin-policy on the provider side. Successfully accessing the content of such a bucket from the Orchestrator UI requires you to configure the respective provider to allow cross-origin requests from Orchestrator.

Note:

If you change the frontend DNS, you must update the CORS settings of all storage buckets (S3 or compatible), or on all Azure storage accounts that Orchestrator accesses.

Amazon S3

Add a rule that allows GET and PUT requests from Orchestrator. For example:
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT"
        ],
        "AllowedOrigins": [
            "https://your.orchestrator.dns.name"
        ],
        "ExposeHeaders": []
    }
][
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT"
        ],
        "AllowedOrigins": [
            "https://your.orchestrator.dns.name"
        ],
        "ExposeHeaders": []
    }
]

Azure

Enable GET and PUT operations for requests originating from the Orchestrator. For example:

<Cors>
<CorsRule>
<AllowedOrigins>http://your.orchestrator.dns.name</AllowedOrigins>
<AllowedMethods>PUT,GET</AllowedMethods>
<AllowedHeaders>*</AllowedHeaders>
<ExposedHeaders>*</ExposedHeaders>
</CorsRule>
</Cors><Cors>
<CorsRule>
<AllowedOrigins>http://your.orchestrator.dns.name</AllowedOrigins>
<AllowedMethods>PUT,GET</AllowedMethods>
<AllowedHeaders>*</AllowedHeaders>
<ExposedHeaders>*</ExposedHeaders>
</CorsRule>
</Cors>
Note: Make sure that the URL does not end in a slash.

CSP

Content Security Policy is a web browser security layer that prevents a web app from making requests outside a trusted set of hosts.

When using storage buckets, Orchestrator automatically allows calls to Azure or Amazon S3, if these providers are enabled or if Orchestrator's composite storage is configured to use Azure or Amazon S3.

Important: To prevent CSP issues, use canonical Azure or Amazon names for the container, and avoid vanity URLs.

To fix possible CSP issues, add the Buckets.ContentSecurityPolicy app setting and set its value to a comma-separated list of all domains to be allowed. This parameter overrides the corresponding Orchestrator settings in regards to Azure and AWS, so make sure to adds Azure and/or AWS as well, if needed.

  • CORS
  • Amazon S3
  • Azure
  • CSP

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.