Enable CORS for Reporting Services

Question

I need to enable CORS in Reporting Services so that I can download reports from my web application using ajax. What I\'ve learned so far is, that SSRS is no longer using II

Answer 1

For SSRS 2017 (Restful APIs) Connect to the reporting server using SSMS, and make sure you set the service type to Reporting Services on the connection dialogue. Also, if you using a different method of authentication, then set that and enter your username/password

Once connected, on the head node "server" right click -> properties -> advanced And you will find all CORS properties, set what you need

https://docs.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-reporting-services?view=sql-server-2017

Answer 2

I managed to get this working by adding the following code to the global.asax in reportserver directory.

<%@ Application Inherits="Microsoft.ReportingServices.WebServer.Global"  %>
<%@ Import namespace="System.Web" %>
<%@ Import namespace="System.Security" %>

<script runat="server">
private static bool init;
private static object lockObject = new object();

void Application_BeginRequest(object sender, EventArgs e)
{
    lock(lockObject)
    {
        if (!init)
        {
            HttpContext context = HttpContext.Current;
            HttpResponse response = context.Response;
            string allow = @"Access-Control-Allow-Origin";

            // enable CORS
            response.AddHeader(allow, "http://yoursourcedomain.com");
            response.AddHeader(@"X-Frame-Options", "ALLOW-FROM http://yoursourcedomain.com");
            response.AddHeader(@"Access-Control-Allow-Credentials", "true");

            if (context.Request.HttpMethod == "OPTIONS")
            {
                response.AddHeader(@"Access-Control-Allow-Methods", "GET, POST");
                response.AddHeader(@"Access-Control-Allow-Headers", "Content-Type, Accept, Authorization");
                response.AddHeader(@"Access-Control-Max-Age", "1728000");
                response.StatusCode = 200;
                response.End();
                HttpApplication httpApplication = (HttpApplication)sender;
                httpApplication.CompleteRequest();
            }
            init = true;
        }
        else
        {
            init = false;
        }
    }
}
</script>

HTH cheers Dave

Answer 3

re: et3rnal's correct answer (there are many ways but this is probably the most straightforward, recommended):

As mentioned you can control request header and CORS settings here.

Answer 4

A similar question last year elicited an answer of "that's not possible, use ReportViewer control" from a Microsoft employee.