This manual is deprecated. Please visit https://groupoffice.readthedocs.io for the latest documentation. |
Difference between revisions of "CORS"
(Created page with "Cross-origin resource sharing (CORS) is a mechanism that allows JavaScript on a web page to make XMLHttpRequests to another domain, not the domain the JavaScript originated from....") |
|||
Line 9: | Line 9: | ||
<pre> | <pre> | ||
− | $config['extra_headers']=array('Access-Control-Allow-Origin: *', | + | $config['extra_headers']=array('Access-Control-Allow-Origin: http://localhost http://example.foo', //Wildcard * doesn't work with credentials. Login will work but further communication fails |
+ | 'Access-Control-Allow-Credentials: true', | ||
'Access-Control-Allow-Headers: x-requested-with, content-type', | 'Access-Control-Allow-Headers: x-requested-with, content-type', | ||
'Access-Control-Allow-Methods: POST, GET, OPTIONS'); | 'Access-Control-Allow-Methods: POST, GET, OPTIONS'); | ||
</pre> | </pre> |
Latest revision as of 12:17, 28 May 2014
Cross-origin resource sharing (CORS) is a mechanism that allows JavaScript on a web page to make XMLHttpRequests to another domain, not the domain the JavaScript originated from.[1] Such "cross-domain" requests would otherwise be forbidden by web browsers, per the same origin security policy. CORS defines a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request.[2] It is more useful than only allowing same-origin requests, but it is more secure than simply allowing all such cross-origin requests.
Allowing access to Group-Office from another domain could be useful for development:
You need at least Group-Office 5.0.25 for this to work.
The following config.php parameters will allow any origin. Note that this is insecure and you should restrict the origins:
$config['extra_headers']=array('Access-Control-Allow-Origin: http://localhost http://example.foo', //Wildcard * doesn't work with credentials. Login will work but further communication fails 'Access-Control-Allow-Credentials: true', 'Access-Control-Allow-Headers: x-requested-with, content-type', 'Access-Control-Allow-Methods: POST, GET, OPTIONS');