Understand Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) allows a web page to make requests such as XMLLHttpRequest to another domain. If you have a browser application that integrates with Oracle Content Management Cloud but is hosted in a different domain, add the browser application domain to Oracle Content Management Cloud’s CORS origins list.

The REST APIs use CORS because they're called from JavaScript code that runs in a browser and the REST APIs and Oracle Content Management are hosted in different domains.

If your browser application needs to use a REST endpoint that doesn't support CORS or that needs service account credentials, you can instead register and use the endpoint via Oracle Content Management’s integrated proxy service. See Configure Proxy Service Settings.

In general, inline frames can host content if the protocol, domain, and port of the inline frame are identical to those for the content it displays. For example, by default, an inline frame on the page http://www.example.com:12345/home.html can host content only if the content's protocol is also http, the domain is www.example.com and the port is 12345.

However, if the application is in a different domain than Oracle Content Management, you need to need to add the application’s host machine information to the list of front channel CORS origins, back channel CORS origins, or both.

  • If the request is a cross-domain request (not originating from Oracle Content Management's domain) that will be served by Oracle Content Management, you need to add a front channel CORS origin. Front channel CORS is typically useful for custom application integration. For example, the REST APIs interact with the front channel.

  • If the request is directly from Oracle Content Management to a connected client in another domain, you need to add a back channel CORS origin. For example, Oracle Content Management can send back-channel messages (real-time updates) to an application.

  • If an application gets both front-channel and back-channel communication from Oracle Content Management, you need to add the domain to both the front and back channel CORS origins lists.

The CORS settings apply to all Oracle Content Management calls (documents, social, and content as a service).