Cross Origin Resource Sharing

Cross-Origin Resource Sharing (CORS) is a W3C spec that guides cross-domain communication from user-clients like a browser or a custom web application (that is deployed in a different domain).

A typical use-case for CORS is as follows: the OHI Claims application that is deployed in imaginary domain 'claims.com' has some data that custom web application 'ourclaimsportal.com' needs to access. This type of request traditionally wouldn’t be allowed under the browser’s same origin policy. However, by supporting CORS requests, 'claims.com' can add a few special response headers that allows 'ourclaimsportal.com' to access the data.

Oracle Health Insurance supports CORS. The Installation Guide explains how to configure Oracle Health Insurance for CORS. You need to specify at least the allowed origins. Oracle does not support the insecure '*' wildcard as a default. This wildcard effectively allows any traffic, which violates the 'secure by default' installation principle.

Without specifying (at least) allowed origins, Oracle Health Insurance will fail to start with the following message: "No CORS Origins specified; see the Security Guide for configuration details".