Try OpenEdge Now
skip to main content
REST Administration : REST Management Agent and REST Web Application Security Configurations : Working with security configurations : Extending CORS support
Extending CORS support
Cross-origin resource sharing (CORS) is a W3C group standard that allows an HTTP client to access a Web page loaded from one domain, to make a JavaScript, XMLHttpRequests, to access resources located in another domain. Such "cross-domain" requests are otherwise forbidden by the Web browser's Java Script security default security policy. The CORS standard defines a way in which a client can ask a server if it can access a cross-origin request. The server's configuration helps in determining whether the cross-domain request is granted.
The W3C CORS standard works by adding new HTTP headers that allow servers to permitted domains. Browsers support these headers and enforce the restrictions these headers establish. Additionally, for HTTP request methods that might affect user data (in particular, HTTP methods other than the GET method, or POST method with certain MIME types), the specification mandates that the browser preflight the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon approval from the server, send the actual request with the actual HTTP request. Servers can also notify clients whether user credentials (including cookies and HTTP authentication data) be sent with requests.
Although most modern browsers support CORS, you should verify CORS support in your browser.
A CORS enabled server or web application classifies all HTTP requests as:
*A CORS request that contains an HTTP Origin header
*A preflight request that contains the Access-Control-Request-Method header in an OPTIONS request
*A generic request that does not contain any CORS HTTP headers
For more information on CORS standard and the advances in the standard, see the documentation at
Note: CORS can be used as an alternative to JSON with padding (JSONP) pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. Using CORS enables a Web programmer to use regular XMLHttpRequests, which supports better error handling than JSONP. Also, while JSONP can cause XSS issues where the external site is compromised, CORS allows web sites to manually parse responses to ensure security.
OpenEdge uses a third-party Java open source package, CORS Filter, in which all of the primary CORS functionality resides. OpenEdge has integrated CORS filter into the Java container Web applications by implementing a Spring Security filter bean so that the CORS filter can be configured from within the Spring Security configuration files, with all of the other Web application security.
Therefore, the CORS support is already incorporated into the REST Web application security policy, and is enabled for all generic requests and CORS requests from any domain.
* Customizing CORS support
* OECORSFilter properties