Cross-Origin Resource Sharing (CORS)

Cross-origin resource sharing (CORS) is a mechanism that allows a web page to request restricted resources from another domain. Some cross-domain resource requests are forbidden by default by the same-origin security policy. CORS protection provides a means for a browser and server to determine whether or not it is safe to allow the cross-origin request. It provides more flexibility than same-origin requests and is more secure than permitting all cross-origin requests. Multiple headers are used for CORS protection by the Grid. Most notable of these is Access-Control-Allow-Origin, which is used to determine the domains that may access the resources of this domain.

Note: CORS is only available for Grid resources, not for Grid application resources. Grid applications that want to support CORS must handle CORS themselves.

Configuring CORS protection in the Grid

The Grid can be configured with a whitelist of host addresses that are permitted to access Grid resources by using a Grid property. See the Infor ION Grid Administration Guide for details on configuring Grid properties.

  • grid.http.cors.allow.origin.whitelist – This property defines a list of the allowed origins (FQDNs). If the list is empty or if the property is not set (default behavior), the allow origin header is set to the provided value in the Origin header.

To learn about CORS protection, see https://www.w3.org/TR/cors/