Skip to content


Cross Origin Resource Sharing (CORS) - also referred to as the Same Origin Policy - is a security setting enabled in all modern browsers that prevents a javascript loaded from Server A interfacing with Server B. This exists to prevent a script from, say,, interfering with a session.

You'll know you are affected if you see a message such as the following in your browser console:

XMLHttpRequest cannot load http://SASMIDTIER:8080/SASStoredProcess/do.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:54048' is therefore not allowed access.

As this is a browser setting, for development purposes the issue can be side-stepped by launching your browser with the setting disabled. Sample commands for this are listed below:

OS Browser Launch Command
Mac Google Chrome open -n -a Google\ Chrome --args --disable-web-security --user-data-dir=/tmp/chrome
Mac Brave open -n -a /Applications/Brave\\ Browser -n --args --incognito --disable-web-security --user-data-dir="/tmp/brave"
Linux Chromium chromium --disable-web-security --user-data-dir="/tmp/chrome"
Linux Google Chrome google-chrome --disable-web-security --user-data-dir="/tmp/chrome"
Windows Google Chrome "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=C:\Temp

It does not seem to be possible to enable CORS in modern Firefox browsers.

You will know if you are successful if you see a You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer. message.

Note - even with CORS enabled you still may be unable to connect to SAS (9 or Viya) if whitelisting is enabled. Also, if you are pushing your web app to a server outside of SAS, you will still have the CORS issue.

To resolve this you will need to ask your administrator, and perhaps offer them the guidance below.


To fix the issue on SAS EBI, open SAS Management Console and navigate through Application Management -> Configuration Manager -> SAS Application Infrastructure.

Right click / properties and add your target url to the following property: sas.web.csrf.referers.knownHosts

Some points to note about this list of urls:

  • They are comma separated
  • The domain should include the trailing slash/
  • The domain can include a partial path for further security, eg
  • After modifying the property, the SAS Web Application Server must be restarted.

For more information, see the SAS Middle Tier Admin Guide.

SAS Viya

A comprehensive article on CORS and CSRF management on SAS Viya is available here.