Cross-Origin resource sharingResource Sharing (CORS) is a mechanism that allows resources on a web page to be requested from another domain outside the domain from which the first resource was served. While a web page may freely embed cross-origin images, scripts, iframes, etc. certain cross-domain requests(ex. ajax requests) are forbidden by default by the same-origin security policy. CORS defines how the browser and server must communicate when accessing sources across origins. The basic idea behind CORS is to use custom HTTP headers to allow both the browser and the server know enough about each other to determine if the request or response should succeed or fail.

Enable CORS

Property for enabling the mechanism :

blueriq.security.cors.enabled=true

If CORS is enabled and no other extra configuration added, then by default all origins, headers and method types are allowed. In order to restrict the CORS access refer to the next paragraphs.

Configure allowed origins

...

If the server decides that the request should be allowed, it sends a "Access-Control-Allow-Origin" header echoing back the same origin that was sent or "*" if it's a public resource. If this header is missing,or the origins don't match, then the browser disallows blocks the request.

In order to specified specify the allowed origins add the property "blueriq.security.cors.allowed-origins" in the properties fileneeds to be added in the 

...

In order to specify the allowed headers, add the property "blueriq.security.cors.allowed-headers" needs to be added in the properties file

...

Configure allowed methods

If only some headers methods must be allowed when a cross origin request is made, it can be specified in the properties file the 

Example:

blueriq.security.cors.allowed-methods=GET, POST, PUT

Credentials requests

...