CORS stands for Cross-origin resource sharing and it is a mechanism to allow resources on a web page to be requested from another domain outside the domain from which the resource originated.
What happens behind the scene, for AJAX and HTTP request methods that can modify data, the CORS specification mandates that browsers “preflight” the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon “approval” from the server, sending the actual request with the actual HTTP request method.
RESTHeart always returns CORS headers to allow requests originated from different domains.
A more fine grained configuration of CORS is in the backlog. See RH-37
- Getting issue details… STATUS
The following example, highlights the CORS headers returned by RESTHeart, in the case of a collection resource.
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Accept, Accept-Encoding, Authorization, Content-Length, Content-Type, Host, If-Match, Origin, X-Requested-With, User-Agent, No-Auth-Challenge Access-Control-Allow-Methods: GET, PUT, POST, PATCH, DELETE, OPTIONS Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Location, ETag, Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location ...