Contact Free trial Login

CORS

Policy name

cross-origin resource sharing (CORS)

Summary

Enables access to resources residing in external domains

Category

Compliance

Available from Mule version

v4.1.1

CORS is a mechanism by which a web application can access resources that are defined in another domain. Using CORS, applications invoking JavaScript XMLHttpRequest (XHR) calls from a web page can interact with resources from non-origin domains.

Typically, web browsers implement this standard for allowing cross-origin requests. Your API is categorized as a public resource by default when you apply this policy. If you want to share only specific resources of your API, you can configure the policy as a restricted resource.

The CORS policy complies with the CORS W3C recommendationstandards.

You must specify the default group before specifying another. The default group is the first group that you must configure for CORS. When a configuration error occurs, the policy resets to the default configuration.

By design, you cannot change the order of execution for the CORS policy. If a protected request using OPTIONS is sent to an application that has the CORS policy applied, the request will not reach the protected resource. According to the CORS specification, all OPTIONS requests are considered preflight.

cors policy

Configuring CORS for non-API Gateway Mule Environments

If your Mule runtime engine (Mule) is not enabled with API gateway capabilities and you need to implement the CORS functionality, you can use the CORS Interceptor. The CORS Interceptor is an element in the HTTP Listener configuration made available in Mule 4.0.

The CORS configuration differs based on whether you leverage the CORS policy capabilities as a public resource or as a selected group of origins.

For the Selected Group of Origins structure, the following example shows the elements that might be configured:

<http:listener-interceptors>
   <http:cors-interceptor allowCredentials="optional boolean value (true/false)">
       <http:origins> (collection of origins)
           <http:origin url="http://origin.com" accessControlMaxAge="integer value">
               <http:allowed-methods>
                   <http:method methodName="method 1"/>
	    ...
                   <http:method methodName="method n"/>
               </http:allowed-methods>
               <http:allowed-headers>
                   <http:header headerName="header 1"/>
 	    ...
                   <http:header headerName="header n"/>
               </http:allowed-headers>
               <http:expose-headers>
                   <http:header headerName="header 1"/>
	    ...
                   <http:header headerName="header n"/>
               </http:expose-headers>
           </http:origin>
       </http:origins>
   </http:cors-interceptor>
</http:listener-interceptors>

For the Public Resource structure, the following example shows the elements that might be configured:

<http:listener-interceptors>
   <http:cors-interceptor allowCredentials="optional boolean value (true/false)">
       <http:origins>
           <http:public-resource/>
       </http:origins>
   </http:cors-interceptor>
</http:listener-interceptors>

Disabling Same-Origin Restrictions in Your Browser

If you cannot implement CORS for your API, you might need to disable the same-origin restrictions in your browser to call an inaccessible API. How you modify your browser to perform this action depends on the browser you are using.

However, before you modify your browser settings, be sure to consider the potential security implications and restrict changes to your own web pages to avoid external threats. As a best practice, you must use these browser settings only for testing in your own web pages.

Disable Same-Origin Restrictions on Google Chrome for Mac OS X

To disable same-origin restrictions on Google Chrome for Mac OS X:

  1. Open a new Terminal window and run the following command:

    open -a Google\ Chrome --args --disable-web-security.

  2. Press Enter.

Disable Same-Origin Restrictions on Google Chrome for Windows

To disable same-origin restrictions on Google Chrome for Windows:

  1. Open a Command prompt window.

  2. Navigate to the location of the Chrome executable file (Chrome.exe).

  3. Run the following command:

    chrome.exe --disable-web-security.

  4. Press Enter.

Disable Same-Origin Restrictions on Internet Explorer

To disable same-origin restrictions on Internet Explorer:

  1. Navigate to Internet Properties > Security > Custom Level in Security Level for this Zone > Miscellaneous.

  2. Enable the Enable Access to Data Sources Across Domains option to access data sources across domains.

Configuring Policy Parameters

When you apply the policy to your API from the UI, the following parameters are displayed:

Element Description Required?

Public resource

Whether the CORS configuration is to be applied as a public resource (default)

Yes

Default group

Whether the CORS configuration is to be applied only to specific resources (requires unselecting Public resource

No

Support credentials

Whether the policy supports credentials, such as cookies, authorization headers, and TLS client certificates

No