Deprecation of Asterisk (*) as CORS Header Value

Starting from update 24A, you can't use an asterisk (*) as a value to allow access to resources from all origins. Instead, you must specify each of the allowed origins for the profile option Allowed Origins for Cross-Origin Resource Sharing (ORA_CORS_ORIGINS).

It's recommended that you review the following conditions before making any updates to the values that currently exist.

• If asterisk (*) exists as the value for the Allowed Origins for Cross-Origin Resource Sharing (ORA_CORS_ORIGINS) profile option, replace it with a list of allowed origins. Going forward, the use of asterisk (*) won't be supported.

• The value for the Access-Control-Allow-Credentials (CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS) profile option is by default set to False to prevent sending user credentials with the request. While it's not at all recommended that you change this value, if you must set it to True, ensure that the value for the profile option Allowed Origins for Cross-Origin Resource Sharing (ORA_CORS_ORIGINS) is not set to asterisk (*).

Caution: Before you change the value of the Access-Control-Allow-Credentials (CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS) profile option to True, assess the risks associated with exposing the user credentials because the change affects all the Fusion Applications REST endpoints.

This change offers a more secure mechanism for integrating applications.

Steps to Enable

You don't need to do anything to enable this feature.