Configure Security Settings

Security settings include enabling cross-origin resource sharing (CORS) and embedding content into other domains.

From the Security page, you can perform the following actions:

Enable Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) allows a web page to make requests such as XMLLHttpRequest to another domain. If you have a browser application that integrates with Oracle Content and Experience Cloud but is hosted in a different domain, add the browser application domain to Oracle Content and Experience Cloud’s CORS origins list.

The REST APIs use CORS because they're called from JavaScript code that runs in a browser and the REST APIs and Oracle Content and Experience are hosted in different domains.

If your browser application needs to use a REST endpoint that doesn't support CORS or that needs service account credentials, you can instead register and use the endpoint via Oracle Content and Experience’s integrated proxy service. See Configure Proxy Service Settings.

In general, inline frames can host content if the protocol, domain, and port of the inline frame are identical to those for the content it displays. For example, by default, an inline frame on the page http://www.example.com:12345/home.html can host content only if the content's protocol is also http, the domain is www.example.com and the port is 12345.

However, if the application is in a different domain than Oracle Content and Experience, you need to need to add the application’s host machine information to the list of front channel CORS origins, back channel CORS origins, or both.

  • If the request is a cross-domain request (not originating from Oracle Content and Experience's domain) that will be served by Oracle Content and Experience, you need to add a front channel CORS origin. Front channel CORS is typically useful for custom application integration. For example, the REST APIs interact with the front channel.

  • If the request is directly from Oracle Content and Experience to a connected client in another domain, you need to add a back channel CORS origin. For example, Oracle Content and Experience can send back-channel messages (real-time updates) to an application.

  • If an application gets both front-channel and back-channel communication from Oracle Content and Experience, you need to add the domain to both the front and back channel CORS origins lists.

The CORS settings apply to all Oracle Content and Experience calls (documents, social, and content as a service).

To allow resource sharing between a browser application that integrates with Oracle Content and Experience Cloud but is hosted in a different domain, perform the following steps:

  1. After you sign in to the Oracle Content and Experience web application as an administrator, click System in the Administration area of the navigation menu.

  2. In the System Settings menu, click Security.

  3. Under CORS (Cross-Origin Resource Sharing), enter the domains in the appropriate CORS origins text box in the format http[s]://domainname.com. Separate entries with a comma. For example, to enable CORS for an app on your server, enter a value similar to the following in both the Back Channel CORS Origins and Front Channel CORS Origins boxes:

    https://www.example.com/app

    If you use a custom domain URL, enter the custom URL as well.

  4. When you are done, click Save.

Do not use * as an origin value; it allows access from all hosts.

Security measures vary between different browsers and different browser versions. See http://www.w3.org/TR/UISecurity/.

The CORS settings apply to all Oracle Content and Experience calls (documents, social, and content as a service).

Embed Content in Other Domains

You can display content from Oracle Content and Experience within other domains. For example, you might embed the Oracle Content and Experience web user interface into your own web applications to access folder and document management features inside your application.

To allow users to embed content, enable embedded content and add domains:

  1. After you sign in to the Oracle Content and Experience web application as an administrator, click System in the Administration area of the navigation menu.

  2. In the System Settings menu, click Security.

  3. Under Embedded Content , select Enabled.

  4. In the Allowed domains box, enter a list of permitted domains, separated by commas. Domains must be in the form www.example.com.
    • To restrict the domain to a particular port, include the port in the specification. For example, www.example.com:12345.

    • If you want to allow a domain that has multiple sub-domains, you can use the * wildcard character. For example, www.example.* includes the domains www.example.com, www.example.co.uk, and so on.

To learn about embedding the Oracle Content and Experience web user interface, see Embed the Web User Interface in Other Applications.