Versions Compared

Old Version 6

changes.mady.by.user Alexandra Aldea

Saved on

compared with

New Version Current

changes.mady.by.user Terry van der Griend

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Cross-Origin Resource Sharing (CORS) is a mechanism that allows resources on a web page to be requested from another domain outside the domain from which the first resource was served. While a web page may freely embed cross-origin images, scripts, iframes, etc. certain cross-domain requests(ex. ajax requests) are forbidden by default by the same-origin security policy. CORS defines how the browser and server must communicate when accessing sources across origins. The basic idea behind CORS is to use custom HTTP headers to allow both the browser and the server know enough about each other to determine if the request or response should succeed or fail.


Note

By default this security feature mechanism is disabled. The reason for this is that not all browsers support this feature and it can be a security risk if not configured properly and not all browsers support this feature.

Table of Contents

Enable CORS

Property for enabling the mechanism :

Code Block
blueriq.security.cors.enabled=true

If CORS is enabled and no other extra configuration added, then by default all origins, headers and method types are allowed. In order to restrict the CORS access refer to the next paragraphs.

Warning

If Cross-Origin Resource Sharing is enabled, and a cross origin request was made, the cookies, authorisation headers and/or TLS client certificates are exposed to the web application as well.

Configure allowed origins

...

In order to specify the allowed origins the property "blueriq.security.cors.allowed-origins" needs to be added in the properties filethe 

Include Page
_PropertiesFileJava
_PropertiesFileJava
, followed by a comma separated list of origins.

...

In order to specify the allowed headers, the property "blueriq.security.cors.allowed-headers" needs to be added in the properties file

Include Page
_PropertiesFileJava
_PropertiesFileJava
, followed by a comma separated list of allowed headers.

...

If only some methods must be allowed when a cross origin request is made, it can be specified in the properties file the 

Include Page
_PropertiesFileJava
_PropertiesFileJava
using the property "blueriq.security.cors.allowed-methods"

...

Code Block
blueriq.security.cors.allowed-methods=GET, POST, PUT

Credentials requests

...