CORS Wildcard disabled on 07/17/2019 - Action may be required
Scheduled Maintenance Report for LoanPro
Completed
The scheduled maintenance has been completed.
Posted Jul 17, 2019 - 19:10 MDT
In progress
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Posted Jul 17, 2019 - 19:00 MDT
Scheduled
LoanPro Clients,

As previously announced on June 5th, 2019 LoanPro Software has enhanced its security around CORS. On July 17th, 2019 LoanPro will be disabling all wildcard CORS domains. This means that if you have not already entered your domain into the settings of your LoanPro account then your connection to LoanPro MAY be interrupted.

Cross-Origin Resource Sharing (CORS) is a feature that all major browsers implement. CORS increases security, and it allows third-party calls to the LoanPro API that originate from a browser. NOTE: This last point is extremely important; CORS only affects API calls made from a browser. If a customer is not making API calls from a browser (for example they have backend processes communicating with our API) then they are not affected at all.

Currently to limit the impact to clients the change that was introduced during June 2019 allows for CORS implementation if the domain is set in the tenant settings. However, if the tenant does not have any domain set then it applies the * wildcard. This change effective July 17th will change this so that ONLY registered domains in the tenant settings will be allowed. THIS WILL DISRUPT YOUR API SERVICE IF YOU ARE INDEED MAKING THIRD-PARTY API CALLS FROM A BROWSER AND THOSE DOMAINS ARE NOT REGISTERED IN THE TENANT SETTINGS.

Please take the steps now to ensure that no access interruptions occur on July 17th, 2019.

For your convenience included below is the original announcement on CORS from June 5th, 2019


Thanks,


César Olea
Director of Software Development - Simnang

=======


Update - ANNOUNCEMENT effective June 19th, 2019:

In preparation for the release on June 19th, we have a change that will be introduced that MIGHT require some action on your part.

As you may be aware, LoanPro has developed its own API, allowing users to build and integrate their own solutions with LoanPro. This is the same API that the LoanPro Website uses, so the full power of LoanPro is at your disposal.

The LoanPro API is an HTTP based system, and as such it has to adhere to the Cross-Origin Resource Sharing standard. Traditionally LoanPro would respond with the header Access-Control-Allow-Origin: * allowing any origin (your website for example) to call LoanPro API endpoints. In an effort to boost the security of our users, this behavior will be changed effective June 19th, 2019. ACTION MAY BE REQUIRED TO AVOID INTERRUPTION OF SERVICE.

What do I have to do?

First, if you don’t use the API from another website (for example using JavaScript to call the LoanPro API from your website) there’s nothing you need to do.

If you do need to send cross-origin requests, the only thing to do is:
1 - Log in to LoanPro as an administrator.
2 - Navigate to Company Settings.
3 - Specify one or multiple domains to use as the origin.
4 - Save changes.

https://articles.simnang.com/#/articles/5af068f13fa59700247dad07

Once this is set, LoanPro will compare the origin received with the list you provided, and set the Access-Control-Allow-Origin header accordingly. If the origin doesn’t match, the header will not be included as part of the response, and the request will fail.

And that’s all. For more information on CORS and why it’s needed, please consult the following MDN Network article. If you have further questions don’t hesitate to contact LoanPro support.

Thanks,


César Olea - Director of Software Development
Simnang

* https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Posted Jul 17, 2019 - 07:03 MDT