Unable to access ArcGIS Server map services from external applications

Description

Certain ArcGIS Server map services cannot be loaded in a third-party application, although the same services are accessible in ArcGIS Map Viewer. When inspecting the request in the browser Developer Tools, the following Cross-Origin Resource Sharing (CORS) error is returned:

Error:
<domain> has been blocked by CORS policy: the value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*'.

This indicates the browser blocks the request due to CORS policy enforcement, preventing the third-party application from accessing the ArcGIS Server REST service.

Cause

ArcGIS Server uses the allowedOrigins parameter to determine which domains are permitted to make cross-origin requests to REST services. In this case, the parameter is configured with an unsupported value (*survey123). Only fully qualified domain names or the wildcard * are supported. Because the configured value does not match the requesting domain, ArcGIS Server does not return a corresponding Access-Control-Allow-Origin header. As a result, the browser blocks the request due to CORS policy enforcement. The services remain accessible in ArcGIS Map Viewer because the application accesses the service from an allowed origin or through a proxy.

Solution or Workaround

1. Log in to the ArcGIS Server Administrator Directory as an administrator.
2. Navigate to system > handlers > rest > servicesdirectory.
3. On the Services Directory page, for Supported Operations, click edit.
4. Locate the AllowedOrigins parameter.
5. Remove *survey123 and update the value to *.
6. Click Save.