Configure CORS Headers

To enable CORS in Oracle Applications Cloud, configure CORS headers so that client applications in one domain can use HTTP requests to get resources from another domain. Set values for profile options that correspond to the CORS headers.

To view the profile option, go to the Setup and Maintenance work area and use the Manage Applications Core Administrator Profile Values task in the Application Extensions functional area.

CORS Profile Options

This table lists the profile options you can set for CORS headers.

CORS Header	Profile Option Name (Profile Option Code)	Profile Option Values
Access-Control-Allow-Origin	Allowed Origins for Cross-Origin Resource Sharing (ORA_CORS_ORIGINS)	These are the values you can enter to indicate which origins are allowed: URL of the specific origin. For example, http://www.exampledomain.com. Space-separated list of origins. For example, http://www.exampledomain.com http://us.example.com http://software.example.com Caution: Asterisk (*) is no longer supported as a valid value to allow access to resources from all origins. If you have already set asterisk (*) as the value for the allowed origins, make sure to replace it with the allowed origins. Note: These are some key points to remember while using the profile values: You must set a value for this header to enable CORS. Never enclose URL and asterisk in quotation marks. Domain names must contain only valid URL characters. The profile value is applicable at the Site level.
Access-Control-Max-Age	CORS: Access-Control-Max-Age (CORS_ACCESS_CONTROL_MAX_AGE)	Default value for caching preflight request is 3600 seconds.
Access-Control-Allow-Methods	CORS: Access-Control-Allow-Methods (CORS_ACCESS_CONTROL_ALLOW_METHODS)	Default values for allowed methods are OPTIONS, HEAD, GET, POST, PUT, PATCH, and DELETE.
Access-Control-Allow-Headers	CORS: Access-Control-Allow-Headers (CORS_ACCESS_CONTROL_ALLOW_HEADERS)	Default values for allowed headers are Accept, Accept-Encoding, Authorization, Cache-Control, Content-Encoding, Content-MD5, Content-Type, Effective-Of, If-Match, If-None-Match, Metadata-Context, Origin, Prefer, REST-Framework-Version, REST-Pretty-Print, Upsert-Mode, User-Agent, X-HTTP-Method-Override, and X-Requested-By.
Access-Control-Allow-Credentials	CORS: Access-Control-Allow-Credentials (CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS)	Select True or False to allow or prevent sending user credentials with the request. The default is False. Caution: Don’t set the value to True without assessing the risk. The value shouldn't be set to True if the value for ORA_CORS_ORIGINS is set to asterisk (*). The Access-Control-Allow-Credentials header won't be set if ORA_CORS_ORIGINS value is *. Setting the value to True affects all the Fusion Applications REST endpoints.