Configure Cross-Origin Resource Sharing
Depending on the REST client you're using, you may or may not need to configure for Cross-Origin Resource Sharing (CORS). You only need to configure for CORS if you're using a client developed in a browser-based programming language, such as JavaScript. Such clients can complete requests or access REST APIs only within the context of a web page in a browser.
Why Use CORS?
CORS is a set of rules that defines the way a server and a browser talk to each other and whether or not it's safe to do so across different domains. As a specification, CORS provides a standard way to implement cross-domain requests that can be used in all browsers.
All browsers enforce the same-origin policy. This policy permits scripts contained in one web page to access data in another, but only if both web pages originate from the same domain. As a result, clients developed in browser-based programming languages that run in one domain cannot retrieve resources from another domain.
How You Configure CORS in Oracle B2C Service
One way to enable CORS in Oracle Applications Cloud is to set the profile option values for the CORS headers using the Manage Administrator Profile Values task in the Setup and Maintenance work area.
The following table lists the supported CORS headers, and the configuration setting values that you can set for each header.
| CORS Header | Purpose | Configuration Setting Name | Configuration Setting Values |
|---|---|---|---|
| Access-Control-Allow-Origin | Provides a comma-separated list of trusted origins from which a client application can access resources. | PAPI_CORS_DOMAIN_LIST | Valid values for allowed origins:
Note: Default is blank.Asterisk (*) is not supported in this configuration, If an '*' is present in the configuration, even as part of a URL, the configuration value is considered invalid and CORS support is disabled. You must set a value for this configuration setting to enable CORS. |
| Access-Control-Max-Age | Specifies how long the response to a preflight request is cached. | PAPI_CORS_MAX_AGE | Default is 3 seconds. Maximum is 31 seconds. |
How You Configure CORS in Oracle B2C Service Chat
To enable CORS in Oracle B2C Service Chat, you must set some of the configuration setting values in the Agent Desktop.
The following table provides the details for the supported CORS header.
| CORS Header | Purpose | Configuration Setting Name | Configuration Setting Values |
|---|---|---|---|
| Access-Control-Allow-Origin | Provides a regular expression describing the trusted origins from which a client can access resources. | CHAT_CORS_ALLOWLIST | The value is a JAVA regular expression, which specifies the domains that a client application can access. If this value is not set then any origin value will be allowed.
Note: It is IMPORTANT to test the regular expression you plan to use before updating this value. If the regular expression is not valid, all CORS requests will be rejected (including the ones that were previously allowed). |
You can configure CORS HTTP headers to enable a client application running in one domain to retrieve resources from another domain using HTTP requests. Let's say that your client application sends a request to REST API server A and then to REST API server B. To allow this cross-server request from the client application, you must configure the Access-Control-Allow-Origin header in server B, else the request fails.