You are here

You are here

REST API - Cross Origin Request Sharing (CORS)

Cross Origin Request Sharing (CORS) refers to the ability to access a normally restricted resource via JavaScript in a browser.  By default, a browser will not allow POST, PATCH, and DELETE requests via JavaScript to a domain that did not originally serve the page.

As it can be useful to write browser based JavaScript applications or upload/download documents directly to SpringCM from the browser, SpringCM supports CORS requests for the Object, Task and Content API’s for white listed domains.  SpringCM does not support CORS for authentication requests, as it would be necessary to expose an application’s Client Secret in the browser, and they should never be exposed to the outside world, they should be stored securely on a server and only passed when needed to authenticate to the API.  This requires that browser based applications must also have a server component to authenticate and pass an access token to the client side JavaScript code.

Since the access token used to access the API is exposed to the end user in the browser, only access tokens that are in the context of the end user should be used for CORS requests.  It is not recommended to use API User access tokens when creating a CORS based application.

To white list an origin domain for cross domain requests, the origin domain must be white listed for the SpringCM account being accessed.  In SpringCM Preferences, navigate to REST API Permitted Domains and add the domain from where the web pages will be served that will be accessing the API.  Domains can be wild carded for convenience. 

Only add the domains that are necessary and use wild cards sparingly.  It is ideal to only allow exactly the domains that are needed.