Cross-Origin Resource Sharing (CORS)¶
EntryStore supports simple CORS requests (
POST) as well as advanced CORS with preflight requests (
OPTIONS with a consequent request using any allowed HTTP verb).
The following settings can be used to activate and configure CORS:
entrystore.cors=on|off (default: off) entrystore.cors.origins=*.domain.com,domain.net,something.* (mandatory if cors=on) entrystore.cors.origins.allow-credentials=*.internal.domain.com (default: unset) entrystore.cors.max-age=7200 (default: unset) entrystore.cors.headers=X-Custom-Header (optional)
Access-Control-Allow-Origin) defines a list of allowed origins. There is limited support for wildcards: a single wildcard is supported at the beginning or at the end of an origin. An origin may also be a wildcard only without any other surrounding characters. The value of this setting is a comma-separated list.
Access-Control-Max-Age) is the duration in seconds for which the result of preflight requests should be cached.
headerssetting (controls both
Access-Control-Expose-Headers) can be used to allow headers in addition to the (always allowed) simple response headers
Pragma. This value of this setting is a comma-separated list.
Access-Control-Allow-Credentialsand determines whether cookies may be sent for origins that match the patterns.
Access-Control-Allow-Methodsis always set to
HEAD, GET, PUT, POST, DELETE, OPTIONS.