Extension point corsConfig
Documentation
Add a CORS compliant url's pattern
Mandatory: - name: name of the config - pattern: url pattern to match
Optionnal: - allowGenericHttpRequests: If false, only valid and accepted CORS requests that be allowed (strict CORS filtering). - allowOrigin: Whitespace-separated list of origins that the CORS filter must allow. - allowSubdomains: If true the CORS filter will allow requests from any origin which is a subdomain origin of the allowed origins. - supportedMethods: List of the supported HTTP methods. - supportedHeaders: The names of the supported author request headers. - exposedHeaders: List of the response headers other than simple response headers that the browser should expose to the author of the cross-domain request through the XMLHttpRequest.getResponseHeader() method. - supportsCredentials: Indicates whether user credentials, such as cookies, HTTP authentication or client-side certificates, are supported. - maxAge: Indicates how long the results of a preflight request can be cached by the web browser, in seconds.
Some samples: - Minimal contribution:
<corsConfig name="minimal">
<pattern>/nuxeo/site/.*</pattern>
</corsConfig>
- Contribution with default values:
<corsConfig allowGenericHttpRequests="true" allowOrigin="*"
allowSubdomains="false" exposedHeaders="" maxAge="-1"
name="defaults" supportedHeaders="*"
supportedMethods="GET, POST, HEAD, OPTIONS" supportsCredentials="true">
<pattern>/nuxeo/site/.*</pattern>
</corsConfig>
- Other dummy contribution:
<corsConfig allowGenericHttpRequests="true"
allowOrigin="http://example.com http://example.com:8080"
allowSubdomains="true" exposedHeaders="X-Custom-1, X-Custom-2"
maxAge="3600" name="dummy"
supportedHeaders="Content-Type, X-Requested-With"
supportedMethods="GET" supportsCredentials="false">
<pattern>/nuxeo/site/.*</pattern>
</corsConfig>
@since 5.7.2
Contribution Descriptors
- Class: org.nuxeo.ecm.platform.web.common.requestcontroller.service.NuxeoCorsFilterDescriptor