Handling Cross Origin Requests

Overview

CORS or Cross-Origin Resource Sharing is an HTTP-header-based mechanism that allows a browser to load resources from any origin. The browser will make a "preflight" request to the server hosting the cross-origin resource to check that the server will permit the actual request. By default, Decisions can handle simple requests (GET, POST, etc); however, requests with preflight checks will require some changes to the Decisions web.config and Settings.xml files for the requests to succeed.

For allowing Decisions to be open in an IFrame, there are some additional steps that are needed, such as enabling SingleSignOn in the Settings.xml along with allowing SameSite cookies to be accepted.

Example

In order to enable cross-origin requests, Decisions will require changes to the web.config and the Settings.xml file. Once these changes have been made, restart Decisions.

For the web.config file:

Locate the httpProtocol tag. Under the tag, include the below segment:

<httpProtocol> <customHeaders> <add name="X-Frame-Options" value=”SAMEORIGIN” or "[URLToFrame]"/> <add name="Access-Control-Allow-Origin" value="*" /> <add name="Access-Control-Allow-Methods" value="GET, PUT, POST,DELETE, HEAD"/> <add name="Access-Control-Allow-Credentials" value="true" /> <add name="Access-Control-Allow-Headers" value="X-Requested-With, origin, content-type, accept" /> </customHeaders> </httpProtocol>

For a standard installation, the web.config file will be located here: C:\Program Files\Decisions\Decisions Web Host

For the Settings.xml:

<CustomHeaders> <CustomHeader> <Name>Content-Security-Policy</Name> <Value>https://*.example.com</Value> </CustomHeader> </CustomHeaders>

For a standard installation, the Settings.xml file will be located here: C:\Program Files\Decisions\Decisions Services Manager

Overview

Example

What's Next