Overview
Cross-Origin Resource Sharing (CORS) enables secure communication when using a browser-based programming language, such as JavaScript, to access content from another domain using HTTP requests. Previously without CORS Headers, calls into Oracle CPQ REST endpoints from other domains in a browser context would be blocked.
Beginning in Release 18B, trusted origins can access Oracle CPQ REST services, and access-control headers can be included in Oracle CPQ REST responses. This enables applications in external domains to verify permissions on an Oracle CPQ site. CORS enables better access control for Oracle CPQ REST APIs when invoked by external applications by providing support for CORS headers to be included in REST responses.
This functionality is enabled by default. Customers wishing to enable CORS Headers support for external applications should file a Service Request to establish their white-listed trusted origins. The following table lists the supported CORS headers.
|
CORS Headers |
Purpose |
|---|---|
|
Access-Control-Allow-Origin |
Contains a comma-separated list of trusted origins that a client application can access resources from. For example: http://externaldomain.com Note: An origin value must be provided for this header to enable CORS. |
|
Access-Control-Max-Age |
Specifies the duration of storing the results of a request in the preflight result cache. The default value for caching preflight requests is 3600 seconds. |
|
Access-Control-Allow-Methods |
Contains a comma-separated list of permitted HTTP methods supported in an Oracle CPQ REST API request. Default values for allowed methods are GET, POST, PUT, PATCH, Delete, and OPTIONS. |
|
Access-Control-Allow-Headers |
Contains a comma-separated list of permitted HTTP headers supported in an Oracle CPQ REST request. Default values for allowed headers are Accept, Accept-Encoding, Cache-Control, Content-MD5, Content-Type, If-Match, If-None-Match, Origin, User-Agent, X-HTTP-Method-Override, X-Requested-By. Note: "Authorization" must be included in the list of allowed headers For example: Accept, Accept-Encoding, Cache-Control, Authorization |
|
Access-Control-Allow-Credentials |
Specifies whether a client application can send user credentials with a request. This option accepts two values: True to enable sending credentials with the request False, which is the default value, to disable sending credentials with the request |
Notes
Beginning in Oracle CPQ 22A, customers who use JavaScript in cross-site requests can be CORS compliant by including the sites involved in the cross-site request in the CORS compliance allowed list. To update the allow list, log a Service Request (SR) on My Oracle Support.
See Also
