Configuring CORS behavior

Hybrid Data Pipeline supports cross-origin resource sharing (CORS) filters that allow the sharing of web resources across domains. CORS provides several advantages over sites with a single-origin policy, including improved resource management and two-way integration between third-party sites. An administrator can enable or disable CORS filtering with the CORSBehavior limit. In turn, the CORS Whitelist API must be used to create and manage a whitelist of trusted origins.

CORS filtering can only be applied at the system level. It cannot be applied to individual tenants. To enable or disable CORS, the administrator must have either the Administrator (12), or the Limits (27) permission and administrative access on the default system tenant. To create and manage a whitelist, the administrator must have either the Administrator (12) permission, or the CORSwhitelist (23) permission and administrative access on the default system tenant.

CORS filters can be enabled either with the Web UI or with the Limits API. For details on using the Web UI, see Manage Limits view.

CORS filtering is disabled by default (CORSBehavior set to 0), and resources are shared only with pages of the same origin. CORS filtering can be enabled by setting the CORSBehavior limit to 1 or 2 via the Limits API. When CORSBehavior is set to 1, the CORS filter is enabled with all origins trusted. When CORSBehavior is set to 2, the CORS filter is enabled with a whitelist of trusted origins. The following POST operation specifies the CORSBehavior endpoint (5). The payload sets the CORSBehavior limit to 2.

When CORS filtering has been enabled to use a whitelist of trusted origins (CORSBehavior set to 2), a whitelist must be created to complete a CORS configuration. The CORS Whitelist API must be used to create the whitelist of trusted origins. The following POST operation specifies the whitelist endpoint with a payload the specifies domains for the trusted origins.