Configure CORS Headers
To enable CORS in Oracle Applications Cloud, configure CORS headers so that client applications in one domain can use HTTP requests to get resources from another domain. Set values for profile options that correspond to the CORS headers.
To view the profile option, go to the Setup and Maintenance work area and use the Manage Applications Core Administrator Profile Values task in the Application Extensions functional area.
CORS Profile Options
This table lists the profile options you can set for CORS headers.
CORS Header |
Profile Option Name (Profile Option Code) |
Profile Option Values |
---|---|---|
Access-Control-Allow-Origin |
Allowed Origins for Cross-Origin Resource Sharing (ORA_CORS_ORIGINS) |
These are the values you can enter to indicate which origins are allowed:
Caution: Asterisk (*) is no longer
supported as a valid value to allow access to resources from all origins.
If you have already set asterisk (*) as the value for the allowed
origins, make sure to replace it with the allowed origins.
Note: These are some key points to remember while using the
profile values:
|
Access-Control-Max-Age |
CORS: Access-Control-Max-Age (CORS_ACCESS_CONTROL_MAX_AGE) |
Default value for caching preflight request is 3600 seconds. |
Access-Control-Allow-Methods |
CORS: Access-Control-Allow-Methods (CORS_ACCESS_CONTROL_ALLOW_METHODS) |
Default values for allowed methods are OPTIONS, HEAD, GET, POST, PUT, PATCH, and DELETE. |
Access-Control-Allow-Headers |
CORS: Access-Control-Allow-Headers (CORS_ACCESS_CONTROL_ALLOW_HEADERS) |
Default values for allowed headers are Accept, Accept-Encoding, Authorization, Cache-Control, Content-Encoding, Content-MD5, Content-Type, Effective-Of, If-Match, If-None-Match, Metadata-Context, Origin, Prefer, REST-Framework-Version, REST-Pretty-Print, Upsert-Mode, User-Agent, X-HTTP-Method-Override, and X-Requested-By. |
Access-Control-Allow-Credentials |
CORS: Access-Control-Allow-Credentials (CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS) |
Select True or False to allow or prevent sending user credentials with the request. The default is False. Caution: Don’t set the value to True
without assessing the risk. The value shouldn't be set to True if the
value for ORA_CORS_ORIGINS is set to asterisk (*). The
Access-Control-Allow-Credentials header won't be set if ORA_CORS_ORIGINS
value is *. Setting the value to True affects all the Fusion Applications
REST endpoints.
|