If you perform cross-domain requests from any JavaScript client to access WebEngine resources or Automation APIs, there's a chance that your browser will block it. CORS allows you to communicate with Nuxeo from another domain using XMLHttpRequests.
Nuxeo uses a filter to handle those cases. It's based on Vladimir Dzhuvinov's universal CORS filter, and allows you to configure on which URLs cross-origin headers are needed. You'll be able to configure each URL independently.
Configuration
Here is the list of all [optional] contribution attributes.
| Attribute name | Description / Possible Values | Default value |
|---|---|---|
allowGenericHttpRequests |
If false, only valid and accepted CORS requests are allowed (strict CORS filtering).true | false
|
true |
allowOrigin |
The whitespace-separated list of origins that the CORS filter must allow.* | http://example.com http://example.com:8080
|
* |
allowSubdomains |
If true, CORS filter will allow requests from any origin which is a sub-domain origin of the allowed origins.true | false
|
false |
supportedMethods |
The list of the supported HTTP methods.* | comma-separated list of HTTP methods
|
GET, POST, HEAD, OPTIONS |
supportedHeaders |
The names of the supported author request headers.* | comma-separated list of headers
|
* |
exposedHeaders |
The list of response headers other than simple response headers that the browser should expose to the author of the cross-domain request through the XMLHttpRequest.getResponseHeader() method.* | comma-separated list of headers
|
* |
supportsCredentials |
Indicates whether user credentials, such as cookies, HTTP authentication or client-side certificates, are supported.true | false
|
true |
maxAge |
Indicates how long the results of a preflight request can be cached by the web browser, in seconds.integer
|
-1 |
Verifying That the Contribution Is Taken into Account
To debug your CORS configuration, use a cURL request and look at the response. If you haven't blocked the OPTIONS method, you should test with the preflight request for an expected POST request:
curl --verbose -H "Origin: http://www.nuxeo.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS http://NUXEO_SERVER/nuxeo/site/foobar/upload
With the default configuration, preflight's response looks like this:
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Access-Control-Allow-Origin: http://www.nuxeo.com
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: HEAD, POST, GET, OPTIONS
< Access-Control-Allow-Headers: X-Requested-With
< Content-Length: 0
The Access-Control-Allow-* headers contain the expected values.
Examples
Here is an example of the simplest contribution, allowing cross-domain requests on the whole foobar site:
<extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="corsConfig">
<corsConfig name="foobar" supportedMethods ="GET,POST,HEAD,OPTIONS,DELETE,PUT">
<pattern>/nuxeo/.*</pattern>
</corsConfig>
</extension>
A fooly complete contribution would look like:
<extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="corsConfig">
<corsConfig name="fooly" allowGenericHttpRequests="true"
allowOrigin="http://example.com http://example.com:8080"
allowSubdomains="true" supportedMethods="GET"
supportedHeaders="Content-Type, X-Requested-With"
exposedHeaders="X-Custom-1, X-Custom-2"
supportsCredentials="false" maxAge="3600">
<pattern>/fooly/site/.*</pattern>
</corsConfig>
</extension>