The cross origin resource sharing protocol (CORS) enables a web server to serve resources to web-based clients that access resources from multiple domains.
Some web client APIs, for example XMLHttpRequest, enforce a same domain policy. This means that the client can only access resources from the same domain it originated from. For the client to access resources from a different domain, the http response header from the other domain must include an Access-Control-Allow-Origin header with the requestor's domain as the value.
For further information on CORS protocol, see https://www.w3.org/TR/cors/
The MVS Toolkit web server contains several properties for configuring the CORS protocol. The configuration properties are stored in the MVS Tool kit installation folder: server/config/webservices_configuration.xml
The webservices_configuration.xml file http-cross-origin-resource-sharing section contains the following properties.
<instance id="http-cross-origin-resource-sharing">
<property name="enabled" value="false"/>
<property name="Access-Control-Allow-Origin" value="*"/>
<property name="Access-Control-Allow-Methods" value="GET,POST,HEAD"/>
<property name="Access-Control-Allow-Headers" value="X-Requested-With,
Content-Type,Accept,Origin"/>
<property name="Access-Control-Max-Age" value="1800"/>
<property name="Access-Control-Allow-Credentials" value="true"/>
</instance>
| Property | Description |
|---|---|
| enabled | Enables the CORS protocol. This value is set to false by default. Some web clients may issue an HTTP status code 401 Unauthorized when accessing a web service from MVS if CORS is not enabled. To enable CORS, set this property to true. |
| Access-Control-Allow-Origin | Contains a list of domains (separated by either an asterisk
(*) or a comma) that are allowed access to web services
hosted on the MVS server. If all client domains are allowed access, set this value to *. Otherwise, enter a comma separated list of domains. For example: <property name="Access-Control-Allow-Origin" value="http://www.foo.com, http://www.bar.com"/> |
| Access-Control-Allow-Methods | Specifies the HTTP methods that are allowed access. By default GET, POST and HEAD are supported. The HTTP OPTIONS method is supported in order for the web server to respond to client CORS Preflight requests to interrogate the resource accessibility prior to the actual request. |
| Access-Control-Allow-Headers | Defines the HTTP headers that may be included in the HTTP request. |
| Access-Control-Max-Age | The maximum time in seconds that a Preflight request may be cached on the client side. |
| Access-Control-Allow-Credentials | Specifies that the request may include user credentials. |