Cross-origin resource sharing (CORS) is a W3C group standard that allows an HTTP client to access a web page from one domain in order to access resources located in another domain. Such "cross-domain" requests are otherwise forbidden by a default, same-origin security policy of a web browser. The CORS standard defines a way in which a client can ask a web server if it can access the cross-origin request. The configuration of the web server determines if the cross-domain request will be granted.

The CORS standard was designed primarily to support JavaScript clients, however it may be applicable to other clients as well.

The CORS standard is implemented through HTTP headers that allow resource access to permitted domains. Most modern browsers support these headers and enforce the restrictions these headers establish. Additionally, for HTTP request methods that might affect user data (in particular, methods other than GET or POST with certain MIME types), the specification mandates that the browser preflight the request. Preflighting is a check to determine if the HTTP request is safe to send to the other domain. The server solicits supported methods from the other domain with an HTTP OPTIONS request header. Upon approval of the preflight request, the actual HTTP request is sent. Servers can also notify clients whether user credentials (including cookies and HTTP authentication data) can be sent with requests.

Note:

Although CORS support is extended to modern browsers, check to ensure that your browser supports the CORS standard.

You must manage security constraints (for example, roles) in the oeablSecurity.properties file of the web application. See the OECORSFilter bean of the oeablSecurity.properties.README for more information.

A CORS enabled server or web application classifies all HTTP requests as:

  • A CORS request that contains the HTTP Origin header
  • A preflight request that contains the Access-Control-Request-Method header in an OPTIONS request
  • A generic request that does not contain any CORS HTTP headers

OpenEdge uses a third-party Java open source package, CORS Filter, in which all of the primary CORS functionality resides. OpenEdge has integrated CORS filter into the Java container web applications by implementing a Spring Security filter bean so that the CORS filter can be configured from within the Spring Security configuration files, with all of the other web application security.

Therefore, the CORS support is already incorporated into the web application security policy, and is enabled for all generic requests and CORS requests from any domain.

For more information on CORS standard and the advances in the standard, see the documentation at http://www.w3.org/TR/cors/.

Note: CORS can be used as an alternative to the JSON with padding (JSONP) pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. Using CORS enables a web programmer to use the XMLHttpRequest API, which supports better error handling than JSONP. Also, while JSONP can cause XSS issues where the external site is compromised, CORS allows web sites to manually parse responses to ensure security.