I just got off the phone with NetSuite support, after exhausting all efforts to make a client-side call from a page in our SuiteCommerce Advanced website directly to NetSuite. It was getting a CORS (Cross-Origin Resource Sharing) scripting error.
Here’s what’s going on. We were looking for a way to get client-side access to a public Suitelet or Restlet in NetSuite. The problem: It was blowing up with a CORS error. Apparently, Netsuite does not support cross-site scripting, even from one of our own domains, SCA.
Here is the exact scenario which brought on the call to NetSuite support. We wanted to click a button in the SCA page which would fetch additional warehouses with our product. This data comes from custom record types in NetSuite. So the NetSuite developer knows where that data lives, the SCA developer does not. At this point, the conversation went something like this, “Hey, I’ll just make that data available to you through a public Suitelet. It’s not proprietary information. You can see it on the page. Why not?
However, we hit the wall with a CORS error from NetSuite. So… You’d think that since NetSuite and SCA are one and the same, NetSuite’s public Suitelets would carry a response header that looked like this:
Access-Control-Allow-Origin: [URL of SCA website]
However, you’d be wrong. Without the response header (supplied by the web service), all browsers block the AJAX call back to the requested web service.
Since CORS blocked us, the code had to move to server-side SCA, where an SCA developer had to write it. Darn!