1. REST APIs for Oracle CPQREST API Services for Oracle CPQ
  2. Reference
  3. Configure for CORS

Configure for CORS

Cross-Origin Resource Sharing (CORS) enables secure communication when using a browser-based programming language, such as JavaScript, to access content from another domain using HTTP requests.

Trusted origins can access Oracle CPQ REST services, and access-control headers can be included in Oracle CPQ REST responses. This enables applications in external domains to verify permissions on an Oracle CPQ site. CORS enables better access control for Oracle CPQ REST APIs when invoked by external applications by providing support for CORS headers to be included in REST responses.

This functionality is enabled by default. Customers wishing to enable CORS Headers support for external applications should submit a service request on My Oracle Support to establish their white-listed trusted origins. The following table lists the supported CORS headers.

CORS Headers Purpose
Access-Control-Allow-Origin

Contains a comma-separated list of trusted origins that a client application can access resources from.

For example: http://externaldomain.com

Note:

An origin value must be provided for this header to enable CORS.
Access-Control-Max-Age

Specifies the duration of storing the results of a request in the preflight result cache.

The default value for caching preflight requests is 3600 seconds.
Access-Control-Allow-Methods

Contains a comma-separated list of permitted HTTP methods supported in an Oracle CPQ REST API request.

Default values for allowed methods are GET, POST, PUT, PATCH, DELETE, and OPTIONS.
Access-Control-Allow-Headers

Contains a comma-separated list of permitted HTTP headers supported in an Oracle CPQ REST request.

Default values for allowed headers are Accept, Accept-Encoding, Cache-Control, Content-MD5, Content-Type, If-Match, If-None-Match, Origin, User-Agent, X-HTTP-Method-Override, X-Requested-By.

Note:

"Authorization" must be included in the list of allowed headers

For example: Accept, Accept-Encoding, Cache-Control, Authorization
Access-Control-Allow-Credentials

Specifies whether a client application can send user credentials with a request.

This option accepts two values:

  • True to enable sending credentials with the request
  • False, which is the default value, to disable sending credentials with the request

Note:

Beginning in Oracle CPQ 22A, customers who use JavaScript in cross-site requests can be CORS compliant by including the sites involved in the cross-site request in the CORS compliance allowed list. To update the allow list, log a Service Request (SR) on My Oracle Support.