CORS
The
cors
policy adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.CORS allows a browser and a server to interact and determine whether or not to allow specific cross-origin requests (i.e. XMLHttpRequests calls made from JavaScript on a web page to other domains). This allows for more flexibility than only allowing same-origin requests, but is more secure than allowing all cross-origin requests.
XML
<cors allow-credentials="false|true">
<allowed-origins>
<origin>origin uri</origin>
</allowed-origins>
<allowed-methods preflight-result-max-age="number of seconds">
<method>http verb</method>
</allowed-methods>
<allowed-headers>
<header>header name</header>
</allowed-headers>
<expose-headers>
<header>header name</header>
</expose-headers>
</cors>
This example demonstrates how to support pre-flight requests, such as those with custom headers or methods other than GET and POST. To support custom headers and additional HTTP verbs, use the
allowed-methods
and allowed-headers
sections as shown in the following example.XML
<cors allow-credentials="true">
<allowed-origins>
<!-- Localhost useful for development -->
<origin>http://localhost:8080/</origin>
<origin>http://example.com/</origin>
</allowed-origins>
<allowed-methods preflight-result-max-age="300">
<method>GET</method>
<method>POST</method>
<method>PATCH</method>
<method>DELETE</method>
</allowed-methods>
<allowed-headers>
<!-- Examples below show Azure Mobile Services headers -->
<header>x-zumo-installation-id</header>
<header>x-zumo-application</header>
<header>x-zumo-version</header>
<header>x-zumo-auth</header>
<header>content-type</header>
<header>accept</header>
</allowed-headers>
<expose-headers>
<!-- Examples below show Azure Mobile Services headers -->
<header>x-zumo-installation-id</header>
<header>x-zumo-application</header>
</expose-headers>
</cors>
Name | Description | Required | Default |
cors | Root element. | Yes | N/A |
allowed-origins | Contains origin elements that describe the allowed origins for cross-domain requests. allowed-origins can contain either a single origin element that specifies * to allow any origin, or one or more origin elements that contain a URI. | Yes | N/A |
origin | The value can be either * to allow all origins, or a URI that specifies a single origin. The URI must include a scheme, host, and port. | Yes | If the port is omitted in a URI, port 80 is used for HTTP and port 443 is used for HTTPS. |
allowed-methods | This element is required if methods other than GET or POST are allowed. Contains method elements that specify the supported HTTP verbs. | No | If this section is not present, GET and POST are supported. |
method | Specifies an HTTP verb. | At least one method element is required if the allowed-methods section is present. | N/A |
allowed-headers | This element contains header elements specifying names of the headers that can be included in the request. | No | N/A |
expose-headers | This element contains header elements specifying names of the headers that will be accessible by the client. | No | N/A |
header | Specifies a header name. | At least one header element is required in allowed-headers or expose-headers if the section is present. | N/A |
Name | Description | Required | Default |
allow-credentials | The Access-Control-Allow-Credentials header in the preflight response will be set to the value of this attribute and affect the client’s ability to submit credentials in cross-domain requests. | No | false |
preflight-result-max-age | The Access-Control-Max-Age header in the preflight response will be set to the value of this attribute and affect the user agent’s ability to cache pre-flight response. | No | 0 |
This policy can be used in the inbound, outbound, and on-error policy scopes.
Questions?
We're always happy to help with any issues you might have!
Send us an email to [email protected] or request the demo with our sales team!