Configure CORS Headers
To enable CORS in Oracle Applications Cloud, configure CORS headers so that client applications in one domain can use HTTP requests to get resources from another domain. Set values for profile options that correspond to the CORS headers.
To view the profile option, go to the Setup and Maintenance work area and use the Manage Applications Core Administrator Profile Values task in the Application Extensions functional area.
CORS Profile Options
This table lists the profile options you can set for CORS headers.
CORS Header |
Profile Option Name (Profile Option Code) |
Profile Option Values |
---|---|---|
Access-Control-Allow-Origin |
Allowed Origins for Cross-Origin Resource Sharing (ORA_CORS_ORIGINS) Note: If you configured CORS using the earlier profile option
ORACLE.ADF.VIEW.ALLOWED_ORIGINS, the associated profile value will be
copied over to the new profile option ORA_CORS_ORIGINS, as part of the
latest application upgrade. You must validate whether the carried over
changes to the profile option are according to your CORS configuration
requirement.
|
These are the values you can enter to indicate which origins are allowed:
Note: These are some key points to remember while using the
profile values:
|
Access-Control-Max-Age |
CORS: Access-Control-Max-Age (CORS_ACCESS_CONTROL_MAX_AGE) |
Default value for caching preflight request is 3600 seconds. |
Access-Control-Allow-Methods |
CORS: Access-Control-Allow-Methods (CORS_ACCESS_CONTROL_ALLOW_METHODS) |
Default values for allowed methods are OPTIONS, HEAD, GET, POST, PUT, PATCH, and DELETE. |
Access-Control-Allow-Headers |
CORS: Access-Control-Allow-Headers (CORS_ACCESS_CONTROL_ALLOW_HEADERS) |
Default values for allowed headers are Accept, Accept-Encoding, Authorization, Cache-Control, Content-Encoding, Content-MD5, Content-Type, Effective-Of, If-Match, If-None-Match, Metadata-Context, Origin, Prefer, REST-Framework-Version, REST-Pretty-Print, Upsert-Mode, User-Agent, X-HTTP-Method-Override, and X-Requested-By. |
Access-Control-Allow-Credentials |
CORS: Access-Control-Allow-Credentials (CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS) |
Select True or False to allow or prevent sending user credentials with the request. The default is False. |