Configure CORS Headers
To enable CORS in Oracle Applications Cloud, configure CORS headers so that client applications in one domain can use HTTP requests to get resources from another domain. Set values for profile options that correspond to the CORS headers.
To view the profile option, go to the Setup and Maintenance work area and use the Manage Applications Core Administrator Profile Values task in the Application Extensions functional area.
CORS Profile Options
This table lists the profile options you can set for CORS headers.
| CORS Header | Profile Option Name (Profile Option Code) | Profile Option Values | 
|---|---|---|
| Access-Control-Allow-Origin | Allowed Origins for Cross-Origin Resource Sharing (ORA_CORS_ORIGINS) | These are the values you can enter to indicate which origins are allowed: 
 Caution: Asterisk (*) is no longer
                           supported as a valid value to allow access to resources from all origins.
                           If you have already set asterisk (*) as the value for the allowed
                           origins, make sure to replace it with the allowed origins. Note: These are some key points to remember while using the
                           profile values: 
 | 
| Access-Control-Max-Age | CORS: Access-Control-Max-Age (CORS_ACCESS_CONTROL_MAX_AGE) | Default value for caching preflight request is 3600 seconds. | 
| Access-Control-Allow-Methods | CORS: Access-Control-Allow-Methods (CORS_ACCESS_CONTROL_ALLOW_METHODS) | Default values for allowed methods are OPTIONS, HEAD, GET, POST, PUT, PATCH, and DELETE. | 
| Access-Control-Allow-Headers | CORS: Access-Control-Allow-Headers (CORS_ACCESS_CONTROL_ALLOW_HEADERS) | Default values for allowed headers are Accept, Accept-Encoding, Authorization, Cache-Control, Content-Encoding, Content-MD5, Content-Type, Effective-Of, If-Match, If-None-Match, Metadata-Context, Origin, Prefer, REST-Framework-Version, REST-Pretty-Print, Upsert-Mode, User-Agent, X-HTTP-Method-Override, and X-Requested-By. | 
| Access-Control-Allow-Credentials | CORS: Access-Control-Allow-Credentials (CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS) | Select True or False to allow or prevent sending user credentials with the request. The default is False. Caution: Don’t set the value to True
                           without assessing the risk. The value shouldn't be set to True if the
                           value for ORA_CORS_ORIGINS is set to asterisk (*). The
                           Access-Control-Allow-Credentials header won't be set if ORA_CORS_ORIGINS
                           value is *. Setting the value to True affects all the Fusion Applications
                           REST endpoints. |