skip to main content
Administering Hybrid Data Pipeline : Configuring CORS behavior
  

Try Now

Configuring CORS behavior

Hybrid Data Pipeline supports cross-origin resource sharing (CORS) filters that allow the sharing of web resources across domains. CORS provides several advantages over sites with a single-origin policy, including improved resource management and two-way integration between third-party sites. An administrator can enable or disable CORS filtering with the CORSBehavior limit in the Limits API. In turn, the CORS Whitelist API must be used to create and manage a whitelist of trusted origins.
CORS filtering can only be applied at the system level. It cannot be applied to individual tenants. To enable or disable CORS, the administrator must have either the Administrator (12), or the Limits (27) permission and administrative access on the default system tenant. To create and manage a whitelist, the administrator must have either the Administrator (12) permission, or the CORSwhitelist (23) permission and administrative access on the default system tenant.

Enabling CORS behavior

CORS filtering is disabled by default (CORSBehavior set to 0), and resources are shared only with pages of the same origin. CORS filtering can be enabled by setting the CORSBehavior limit to 1 or 2 via the Limits API. When CORSBehavior is set to 1, the CORS filter is enabled with all origins trusted. When CORSBehavior is set to 2, the CORS filter is enabled with a whitelist of trusted origins. The following POST operation specifies the CORSBehavior endpoint (5). The payload sets the CORSBehavior limit to 2.
POST https://myserver:port/api/admin/limits/system/5
{
"value": 2
}

Creating a whitelist for CORS filtering

When CORS filtering has been enabled to use a whitelist of trusted origins (CORSBehavior set to 2), a whitelist must be created to complete a CORS configuration. The CORS Whitelist API must be used to create the whitelist of trusted origins. The following POST operation specifies the whitelist endpoint with a payload the specifies domains for the trusted origins.
Note: The wild card * can be used at the beginning of a domain. For example, *.progress.com is a valid entry, and will whitelist any origin that ends with progress.com. The wild card is not supported at any other location within a domain. For example, progress.abc.*.com is not supported for origin validation.
POST https://<myserver>:<port>/api/admin/security/cors/whitelist
{
"whitelist": [
{
"domain": "http://*.abc.com",
"description": "The ABC group domain"
},
{
"domain": "http://bar.test.com",
"description": "The bar trusted origin"
}
]
}