Why Use CORS?
Simply put, CORS is a set of rules that defines the way a server and a browser talk to each other and whether or not it's safe to do so across different domains. As a specification, CORS provides a standard way to implement cross-domain requests that can be used in all browsers.
All browsers enforce the same-origin policy. This policy permits scripts contained in one web page to access data in another, but only if both web pages originate from the same domain. As a result, clients developed in browser-based programming languages that run in one domain cannot retrieve resources from another domain.
How You Configure CORS in Oracle B2C Service
To enable CORS in Oracle B2C Service, you must set some of the configuration setting values in the Agent Desktop of Oracle B2C Service.
The following table lists the supported CORS headers, and the configuration setting values that you can set for each header.
|CORS Header||Purpose||Configuration Setting Name||Configuration Setting Values|
|Access-Control-Allow-Origin||Provides a comma-separated list of trusted origins from which a client application can access resources.||PAPI_CORS_DOMAIN_LIST||Valid values for allowed origins:
Note:Default is blank.
Asterisk (*) is not supported in this configuration, If an '*' is present in the configuration, even as part of a URL, the configuration value is considered invalid and CORS support is disabled. You must set a value for this configuration setting to enable CORS.
|Access-Control-Max-Age||Specifies how long the response to a preflight request is cached.||PAPI_CORS_MAX_AGE||Default is 3 seconds. Maximum is 31 seconds.|
You can configure CORS HTTP headers to enable a client application running in one domain to retrieve resources from another domain using HTTP requests. If, for example, your client application retrieves resource X from the REST API server A, then your client application sends an HTTP request to retrieve resource Y from REST API server B. To allow this cross-server request from the client application, you must configure the Access-Control-Allow-Origin header in server B. Otherwise, the request fails.