Why Use CORS?
Simply put, CORS is a set of rules that defines the way a server and a browser talk to each other and whether or not it's safe to do so across different domains. As a specification, CORS provides a standard way to implement cross-domain requests that can be used in all browsers.
All browsers enforce the same-origin policy. This policy permits scripts contained in one web page to access data in another, but only if both web pages originate from the same domain. As a result, REST API clients developed in browser-based programming languages that run in one domain cannot retrieve resources from another domain.
Configuring Origin Domains for CORS
Configure the list of origin domains for CORS in the configuration UI as follows:
- Navigate to .
- Select the Allow cross-origin resource sharing (CORS) from the following web domains checkbox.
- In the text box, add the domain names. Enter each domain name on a separate line.
- Make sure that the domain names are not longer than 253 characters.
- You can add upto 100 origin domain names.
- Make sure that there are no leading or trailing white spaces in a domain name.
- Use the single asterisk '* ' to allow all domains.
- Do not use wildcards or special characters, they are not supported.
- Click Save.
Note:When a domain name is added or modified, it may take upto three minutes for the changes to reflect across the application.
The following table lists the supported CORS headers, and the values that OFSC returns for each header.
|CORS Header||Purpose||Value Returned|
|Access-Control-Allow-Origin||Provides a comma-separated list of trusted origins from which a client application can access resources.||The value of the request header Origin is returned. For example, if the request header value is 'Origin: https://example.com/', then 'Access-Control-Allow-Origin: https://example.com/' is returned.|
|Access-Control-Max-Age||Specifies how long the response to a preflight request is cached.||1728000|
|Access-Control-Allow-Methods||Provides a comma-separated list of permitted HTTP methods in a request.||OPTIONS, GET, POST, PUT, PATCH, DELETE|
|Access-Control-Allow-Headers||Provides a comma-separated list of permitted HTTP headers in a request.||DNT, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Authorization|
|Access-Control-Allow-Credentials||Specifies whether a client application can send user credentials with a request.||True|