top of page
  • Writer's pictureAlibek Jakupov

Azure ML Studio + CORS: Security vs Flexibility

Updated: Nov 19, 2021

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”

Stephane Nappo, Global Head Information Security for Société Générale International Banking

One of the most attractive things about Azure ML Studio is the ability to quickly deploy your trained model as a web service. Moreover, a sample code (in C#, Python and R) is provided to call your API from any modern client, which makes it extremely easy to integrate into your website or a desktop application.

However, for web developers it may sometimes be tricky to integrate it in your existing solution. For instance, if you have your front-end written in JavaScript and call your newly created service directly from the client code you may face some strange error, saying that CORS is not enabled for the service. As Mozilla’s developer platform says: “Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. A web application makes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin” ( ). Thus, cross origin requests are subject to restrictions, primarily for security reasons. In other words, web objects from one domain, as JavaScript, cannot request objects from another domain (web service requests in our case). Sounds weird, right? Given the fact that most of the modern front end is written using js libraries it makes the web service completely useless. But as the proverb says:

Where there is a will there is a way.

Fortunately, there are several workarounds that we are going to discuss now.

Firstly, it is possible to disable the CORS using API Management Service. If you have already faced this issue you have surely seen this post in stackoverflow (, which says that in order to allow CORS using API Management service you should enable it in the API configuration page. However, as the stackoverflow users have mentioned, it requires paying even more money, as it requires your web service to be wrapped into another web service. Well, that’s true and that’s really disappointing. Hopefully this feature will be added in the nearest future.

Secondly, to conform AML CORSE restrictions, it is possible to host your own web application (instead of having a wrapper service), for instance an ASP.NET webpage, and invoke your web service from there. This solution I have found from the AML Studio official book and this seems much more attractive for me. Ok, I admit, it requires additional development, but at least I do not have to pay extra money for hosting another service.

To sum up, basically we have two solutions to overcome this limitation:

First, host your own web service, providing CORS support, which will invoke your web service. This is faster, allows invoking the service on behalf of different web and mobile clients but requires additional payment.

Second, you may host your own web application and invoke the service from there. This solution is for greedy and hardworking ones but allows making your solution more flexible.

Good luck and keep learning!

536 views0 comments


bottom of page