1. Using the REST Adapter with Oracle Integration Generation 2
  2. REST Adapter Concepts
  3. Cross-Origin Resource Sharing (CORS) Support
  4. Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS)

CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. CORS provides for more flexibility than same-origin requests, but is more secure than simply permitting all cross-origin requests.

Oracle Integration supports CORS in the REST Adapter trigger (inbound) direction. You configure CORS support in the Adapter Endpoint Configuration Wizard. See REST Adapter Trigger Resource Configuration Page and REST Adapter Trigger CORS Configuration Page.

CORS is supported by browsers based on the following layout engines:

  • Blink- and Chromium-based browsers (Chrome 28, Opera 15, Amazon Silk, Android's 4.4+ WebView, and Qt's WebEngine).

  • Gecko 1.9.1 (Firefox 3.5, SeaMonkey 2.0, and Camino 2.1) and above.

  • MSHTML/Trident 6.0 (Internet Explorer 10) has native support. MSHTML/Trident 4.0 & 5.0 (Internet Explorer 8 & 9) provide partial support through the XDomainRequest object.

  • Presto-based browsers (Opera) implement CORS as of Opera 12.00 and Opera Mobile 12, but not Opera Mini.

  • WebKit (Safari 4 and above, Google Chrome 3 and above, possibly earlier).

The following browsers do not support CORS:

  • Camino does not implement CORS in the 2.0.x release series because these versions are based on Gecko 1.9.0.

  • As of version 0.10.2, Arora exposes WebKit's CORS-related APIs, but attempted cross-origin requests fail.[16].

For CORS to work, you must send an OPTIONS request. Using the XMLHttpRequest object in Javascript for (Ajax calls) automatically sends the OPTIONS request. If XMLHttpRequest is not used, then the OPTIONS request must be sent explicitly.

In the following example, an HTML client invokes an Oracle Integration CORS-based endpoint using XMLHttpRequest.
<html>

<script language="javascript">

var invocation = new XMLHttpRequest(); 
var url =
"<ics endpoint url>";
// Use postman to generate authCode. Sample is provided below 
var authCode = 'Basic <base64encoded authorization string>';  

function callOtherDomain(){   if(invocation)     {       
invocation.open('GET', url, true);       
invocation.setRequestHeader('Accept', 'application/json'); 
invocation.setRequestHeader('X-Cache','aaa');   
invocation.setRequestHeader('X-Forwarded-For','fwd1'); 
invocation.setRequestHeader('Authorization',authCode); 
invocation.onreadystatechange = stateChangeEventHandler; 
invocation.send(); 
} 
} 

function stateChangeEventHandler() 
{ 
//  check whether the data is loaded 
if (invocation.readyState==4)  
 {  // check whether the status is ok   
  if (invocation.status==200)   {   
  //alert(invocation.responseText) 
document.getElementById("myTextarea").value = invocation.responseText 
document.write("hello"); 
document.write(invocation.responseText);   
  }  
  else  
  {  
    alert ("Error Occurred")  
  }   
   } 
}

</script>
<body onload="callOtherDomain()">
<br><br>
<textarea id="myTextarea" name="mytextarea1"></textarea><br><br>
</body>
</html>
Some browsers may also have security restrictions such as the same origin policy or a similar name that prevents using CORS. For example, to access a CORS-enabled endpoint using a Chrome browser, you may have to start it with web security disabled as follows.
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security