Configure for CORS

Depending on the REST API client you're using, you may or may not need to configure for Cross-Origin Resource Sharing (CORS). You only need to configure for CORS if you're using a REST API client developed in a browser-based programming language, such as JavaScript. Such REST API clients can complete requests or access REST APIs only within the context of a web page in a browser.

Why Use CORS?

Simply put, CORS is a set of rules that defines the way a server and a browser talk to each other and whether or not it's safe to do so across different domains. As a specification, CORS provides a standard way to implement cross-domain requests that can be used in all browsers.

All browsers enforce the same-origin policy. This policy permits scripts contained in one web page to access data in another, but only if both web pages originate from the same domain. As a result, REST API clients developed in browser-based programming languages that run in one domain cannot retrieve resources from another domain.

Server Setting

In order to enable CORS, server requires the following property to be set to the domain that will accept these requests.
  • glog.webserver.cors.origins: This property defines the valid origin domains of clients that are accepted by the server. If there are multiple valid origin domains, please use "," to separate them. For example, "glog.webserver.cors.origins = http://localhost:port,https://localhost:port".

Client Setting

In order to distinguish CORS requests from normal REST requests, the client should contain the following headers.
  • CORS: Server executes CORS actions only when it detects the header "cors" in the request and the value of this header is true.
  • withCredentials: Server requires and accepts cookie, so "withCredentials" should be set to true in the CORS request.
  • Authorization (For non-SSO server): Non-SSO server requires basic HTTP authentication. User name and password should be encoded as the value of "Authorization" as one of the request headers.
JS Example at client side:
var url = "http://host:port/logisticsRestApi/resources/v2/locations/GUEST.4444";
var method = "GET";
var xhr = createCORSRequest(method, url);
xhr.send();

function createCORSRequest(method, url){
	var xhr = new XMLHttpRequest();
	
	if("withCredentials" in xhr){
		xhr.open(method, url, true);
		xhr.withCredentials = true;
		xhr.setRequestHeader("Authorization", "Basic **********");
		xhr.setRequestHeader("cors","true");
		xhr.onreadystatechange = function(){
			if(xhr.responseText !==null && xhr.responseText!== ""){
				document.getElementById("d1").innerHTML = xhr.responseText;
			}
		};
		
	// for IE 9 and older, which does not support "withCredentials", and thus could not send request with cookie
	}else if(typeof XDomainRequest != "undefined"){
		xhr = new XDomainRequest();
		xhr.open(method, url, true);
		xhr.setRequestHeader("Authorization", "Basic **********");
		xhr.setRequestHeader("cors","true");
		xhr.onreadystatechange = function(){
			if(xhr.responseText !==null && xhr.responseText!== ""){
				document.getElementById("d1").innerHTML = xhr.responseText;
			}
		};
	}else{
		xhr = null;
	}
	
	return xhr;
}