Cross Origin Resource Sharing - Completing the Create or Save As form

You create cross-origin resource sharing (CORS) policies to control how other systems or websites (origins) are allowed to access resources (APIs and services) provided by your application. After you create a CORS policy, you must map it to an application endpoint describing the location of the resources, to specify where the policy is applied.

Matching

The sequence in which you list the CORS policies is significant. At run time, the system checks the CORS policy rules, in the order that they are listed on the CORS-Endpoint Security form, until a match is found. Matching is based on the request method and the origin header value, which the system compares to the allowed request methods and allowed origins.

  • A request from the origin that is specified in the CORS policy is recognized as secure, for this endpoint. Requests that satisfy the policy are sent responses with the appropriate headers, as defined in the CORS policy.
  • A request from an origin that is not specified in the CORS policy is not considered secure and returns an error message explaining that the cross-origin request was denied.
Key parts

The key for a CORS policy has one part:

Field Description
Policy name Enter a descriptive name for the CORS policy. You might name the policy for an endpoint or for the API or REST service that you intend to protect.