3576661 - Issue with CORS Filter in SAP CPQ

• The Security parameter under General Parameters in SAP CPQ "Allowed origins for the CORS filter" is not functioning as expected.
• Despite leaving this field empty or specifying a particular URL, it does not block any API HTTP requests originating from the script workbench in CPQ.
• Expectation is that an empty field should not allow any API HTTP requests, and specifying a URL should only allow API calls from that specific tenant.

Sales Cloud CPQ

1. Navigate to the General Application parameter in the Security tab in the SAP CPQ tenant.
2. In the "Allowed origins for the CORS filter", enter the HTTP URL of any other tenant and save the changes.
3. Execute an API call from script workbench.
4. Observe that the CORS filter does not block the API HTTP requests, contrary to the expected behaviour.

The empty field in the CORS filter is equivalent to setting the parameter to "*", which means all origins are allowed. 

1. If all origins are to be allowed, leave the field empty or set the parameter to "*".
2. To specify which origins are allowed, provide a list of allowed origins in the CORS filter field.
3. If only the tenant's origin should be allowed, the list should contain just that tenant's URL.

Note: CORS is meant for JavaScript requests from browsers, and the browser automatically rejects requests which do not satisfy CORS.
However, requests from the Script Workbench are server-side requests, so CORS restrictions do not apply to these requests.

SAP CPQ, CORS filter, API HTTP requests, allowed origins, security parameter, tenant, server-side requests, JavaScript requests, Script Workbench. , KBA , CEC-SAL-CPQ , Sales Cloud CPQ , Problem