Cross-Origin Request Blocked

Error Message

Accessing ArcGIS Server services via ArcGIS Server REST Directory fails and returns the following error:

Error:
Cross-Origin Request Blocked:The Same Origin Policy disallows reading the remote resource at https://<FQDN>/portal/sharing/generateToken?request=getToken&serverURL<etc.>

Cause

The Fully Qualified Domain Name (FQDN) is listed under the Allow Origins settings in Portal for ArcGIS. The domain listed in the settings must match the exact request sent from the browser. Portal for ArcGIS does not allow access to the browser if a mismatch exists. The following image shows an FQDN listed under the Allow Origins settings in the Portal for ArcGIS settings page.

Note:
By default, ArcGIS Server allows all JavaScript applications to access web services. To prevent JavaScript applications hosted on other domains from using the web services, ArcGIS Server can be configured to include a list of trusted domains. This reduces the possibility of an unknown application sending malicious commands to the web services. For more information, refer to the web help document ArcGIS Server: Restricting cross-domain requests to ArcGIS Server.

Solution or Workaround

Note:
The steps below are only possible using a Portal for ArcGIS administrator account.

1. Login to the Portal for ArcGIS Home page using an administrator account.
2. On the Portal for ArcGIS Home page, click Organization.

3. On the Organization page, click EDIT SETTINGS.

4. On the settings page, click Security.

5. On the Security settings page, scroll to Allow Origins. Click the red x symbol to remove the desired FQDN listed under the Allow Origins settings.