CORS

The cors policy adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
CORS allows a browser and a server to interact and determine whether or not to allow specific cross-origin requests (i.e. XMLHttpRequests calls made from JavaScript on a web page to other domains). This allows for more flexibility than only allowing same-origin requests, but is more secure than allowing all cross-origin requests.
Policy statement
XML
<cors allow-credentials="false|true">
    <allowed-origins>
        <origin>origin uri</origin>
    </allowed-origins>
    <allowed-methods preflight-result-max-age="number of seconds">
        <method>http verb</method>
    </allowed-methods>
    <allowed-headers>
        <header>header name</header>
    </allowed-headers>
    <expose-headers>
        <header>header name</header>
    </expose-headers>
</cors>
Example
This example demonstrates how to support pre-flight requests, such as those with custom headers or methods other than GET and POST. To support custom headers and additional HTTP verbs, use the allowed-methods and allowed-headers sections as shown in the following example.
XML
<cors allow-credentials="true">
    <allowed-origins>
        <!-- Localhost useful for development -->
        <origin>http://localhost:8080/</origin>
        <origin>http://example.com/</origin>
    </allowed-origins>
    <allowed-methods preflight-result-max-age="300">
        <method>GET</method>
        <method>POST</method>
        <method>PATCH</method>
        <method>DELETE</method>
    </allowed-methods>
    <allowed-headers>
        <!-- Examples below show Azure Mobile Services headers -->
        <header>x-zumo-installation-id</header>
        <header>x-zumo-application</header>
        <header>x-zumo-version</header>
        <header>x-zumo-auth</header>
        <header>content-type</header>
        <header>accept</header>
    </allowed-headers>
    <expose-headers>
        <!-- Examples below show Azure Mobile Services headers -->
        <header>x-zumo-installation-id</header>
        <header>x-zumo-application</header>
    </expose-headers>
</cors>
Elements
Name
Description
Required
Default
cors
Root element.
Yes
N/A
allowed-origins
Contains origin elements that describe the allowed origins for cross-domain requests. allowed-origins can contain either a single origin element that specifies * to allow any origin, or one or more origin elements that contain a URI.
Yes
N/A
origin
The value can be either * to allow all origins, or a URI that specifies a single origin. The URI must include a scheme, host, and port.
Yes
If the port is omitted in a URI, port 80 is used for HTTP and port 443 is used for HTTPS.
allowed-methods
This element is required if methods other than GET or POST are allowed. Contains method elements that specify the supported HTTP verbs.
No
If this section is not present, GET and POST are supported.
method
Specifies an HTTP verb.
At least one method element is required if the allowed-methods section is present.
N/A
allowed-headers
This element contains header elements specifying names of the headers that can be included in the request.
No
N/A
expose-headers
This element contains header elements specifying names of the headers that will be accessible by the client.
No
N/A
header
Specifies a header name.
At least one header element is required in allowed-headers or expose-headers if the section is present.
N/A
Attributes
Name
Description
Required
Default
allow-credentials
The Access-Control-Allow-Credentials header in the preflight response will be set to the value of this attribute and affect the client’s ability to submit credentials in cross-domain requests.
No
false
preflight-result-max-age
The Access-Control-Max-Age header in the preflight response will be set to the value of this attribute and affect the user agent’s ability to cache pre-flight response.
No
0
Usage
This policy can be used in the inbound, outbound, and on-error policy scopes.
Questions? 
We're always happy to help with any issues you might have! 
Send us an email to support@youngapp.co or request the demo with our sales team!

API POLICIES - Previous

Cross-domain policies

Next - API POLICIES

Transformation policies

Last updated 10 months ago

Name	Description	Required	Default
`cors`	Root element.	Yes	N/A
`allowed-origins`	Contains `origin` elements that describe the allowed origins for cross-domain requests. `allowed-origins` can contain either a single `origin` element that specifies `*` to allow any origin, or one or more `origin` elements that contain a URI.	Yes	N/A
`origin`	The value can be either `*` to allow all origins, or a URI that specifies a single origin. The URI must include a scheme, host, and port.	Yes	If the port is omitted in a URI, port 80 is used for HTTP and port 443 is used for HTTPS.
`allowed-methods`	This element is required if methods other than GET or POST are allowed. Contains `method` elements that specify the supported HTTP verbs.	No	If this section is not present, GET and POST are supported.
`method`	Specifies an HTTP verb.	At least one `method` element is required if the `allowed-methods` section is present.	N/A
`allowed-headers`	This element contains `header` elements specifying names of the headers that can be included in the request.	No	N/A
`expose-headers`	This element contains `header` elements specifying names of the headers that will be accessible by the client.	No	N/A
`header`	Specifies a header name.	At least one `header` element is required in `allowed-headers` or `expose-headers` if the section is present.	N/A