Understand Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) allows a web page to make requests such as XMLLHttpRequest to another domain. If you have a browser application that integrates with Oracle Content and Experience Cloud but is hosted in a different domain, add the browser application domain to Oracle Content and Experience Cloud’s CORS origins list.

The REST APIs use CORS because they're called from JavaScript code that runs in a browser and the REST APIs and Oracle Content and Experience are hosted in different domains.

If your browser application needs to use a REST endpoint that doesn't support CORS or that needs service account credentials, you can instead register and use the endpoint via Oracle Content and Experience’s integrated proxy service. See Configure Proxy Service Settings.

In general, inline frames can host content if the protocol, domain, and port of the inline frame are identical to those for the content it displays. For example, by default, an inline frame on the page http://www.example.com:12345/home.html can host content only if the content's protocol is also http, the domain is www.example.com and the port is 12345.

However, if the application is in a different domain than Oracle Content and Experience, you need to need to add the application’s host machine information to the list of front channel CORS origins, back channel CORS origins, or both.

  • If the request is a cross-domain request (not originating from Oracle Content and Experience's domain) that will be served by Oracle Content and Experience, you need to add a front channel CORS origin. Front channel CORS is typically useful for custom application integration. For example, the REST APIs interact with the front channel.

  • If the request is directly from Oracle Content and Experience to a connected client in another domain, you need to add a back channel CORS origin. For example, Oracle Content and Experience can send back-channel messages (real-time updates) to an application.

  • If an application gets both front-channel and back-channel communication from Oracle Content and Experience, you need to add the domain to both the front and back channel CORS origins lists.

The CORS settings apply to all Oracle Content and Experience calls (documents, social, and content as a service).

See Enable Cross-Origin Resource Sharing (CORS) in Administering Oracle Content and Experience.