Enable Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) allows a web page to make requests such as XMLLHttpRequest to another domain. If you have a browser application that integrates with Oracle Content and Experience Cloud but is hosted in a different domain, add the browser application domain to Oracle Content and Experience Cloud’s CORS origins list.

The REST APIs use CORS because they're called from JavaScript code that runs in a browser and the REST APIs and Oracle Content and Experience are hosted in different domains.

If your browser application needs to use a REST endpoint that doesn't support CORS or that needs service account credentials, you can instead register and use the endpoint via Oracle Content and Experience’s integrated proxy service. See Configure Proxy Service Settings.

In general, inline frames can host content if the protocol, domain, and port of the inline frame are identical to those for the content it displays. For example, by default, an inline frame on the page http://www.example.com:12345/home.html can host content only if the content's protocol is also http, the domain is www.example.com and the port is 12345.

However, if the application is in a different domain than Oracle Content and Experience, you need to need to add the application’s host machine information to the list of front channel CORS origins, back channel CORS origins, or both.

  • If the request is a cross-domain request (not originating from Oracle Content and Experience's domain) that will be served by Oracle Content and Experience, you need to add a front channel CORS origin. Front channel CORS is typically useful for custom application integration. For example, the REST APIs interact with the front channel.

  • If the request is directly from Oracle Content and Experience to a connected client in another domain, you need to add a back channel CORS origin. For example, Oracle Content and Experience can send back-channel messages (real-time updates) to an application.

  • If an application gets both front-channel and back-channel communication from Oracle Content and Experience, you need to add the domain to both the front and back channel CORS origins lists.

The CORS settings apply to all Oracle Content and Experience calls (documents, social, and content as a service).

To allow resource sharing between a browser application that integrates with Oracle Content and Experience Cloud but is hosted in a different domain, perform the following steps:

  1. After you sign in to the Oracle Content and Experience web application as an administrator, click Settings in the Administration area of the navigation menu.

  2. In the Settings menu, click Security.

  3. Under CORS (Cross-Origin Resource Sharing), enter the domains in the appropriate CORS origins text box in the format http[s]://domainname.com. Separate entries with a comma. For example, to enable CORS for an app on your server, enter a value similar to the following in both the Back Channel CORS Origins and Front Channel CORS Origins boxes:

    https://www.example.com/app

    If you use a custom domain URL, enter the custom URL as well.

  4. When you are done, click Save.

Do not use * as an origin value; it allows access from all hosts.

Security measures vary between different browsers and different browser versions. See http://www.w3.org/TR/UISecurity/.

The CORS settings apply to all Oracle Content and Experience calls (documents, social, and content as a service).