Handling Cross Origin Requests

Overview

CORS, or Cross-Origin Resource Sharing, is an HTTP-header-based mechanism that allows a browser to load resources from any origin. Normally browsers will block requests from outside origins as a security feature. Enabling CORS reduces some of the security burden for specified websites. The browser will make a preflight request to the server hosting the cross-origin resource to check that the server will permit the actual request. Decisions can handle simple requests (GET, POST, etc.) out of the box; however, requests with preflight checks will require changes to the Decisions Settings.xml files for the requests to succeed.

For allowing Decisions to be opened in an IFrame, some additional steps are needed, such as enabling SingleSignOn in the Settings.xml and allowing SameSite cookies to be accepted.

Example

To enable cross-origin requests, Decisions will require changes to the Customer Header section of the Settings.xml file. Enter in the URL for the origin that needs to be allowed. Once these changes have been made, restart Decisions.

For the Settings.xml:

<CustomHeaders> <CustomHeader> <Name>Content-Security-Policy</Name> <Value>https://*.example.com</Value> </CustomHeader> </CustomHeaders>

For a standard installation, the Settings.xml file will be located here: C:\Program Files\Decisions\Decisions Server

Large File Handler Example

To support custom headers in the Large File Handler, add the following configuration to the Settings.xml file:

<CustomHeaders> <CustomHeader> <Name>Access-Control-Allow-Origin</Name> <Value>*</Value> </CustomHeader> <CustomHeader> <Name>Access-Control-Allow-Headers</Name> <Value>Content-Type, Authorization, X-Custom-Header</Value> </CustomHeader> </CustomHeaders>

This configuration allows the Large File Handler to accept requests from any source. After making these changes, remember to restart the Decisions application for them to take effect.

Overview

Example

Large File Handler Example

What's Next