Brightspot CMS Developer Guide

Cross-Origin Resource Sharing

This Integrations section, found in the Developer Guide, covers integrations that require developer intervention to turn on. For quick, out-of-the-box integrations offered by Brightspot, see the Integrations section in the Brightspot CMS User Guide.

This topic explains what CORS is, and how to configure it in your application.

Introduction to CORS
Cross-Origin Resource Sharing (CORS) is a mechanism that allows requests for data from one domain to be retrieved by another domain. Ordinarily, under the same-origin security policy, AJAX requests that target a domain other than the one serving the current page would fail. This is done for a variety of reasons; from simply disabling modification access (e.g. POST or DELETE requests) from foreign domains, to preventing malicious scripts from retrieving sensitive data used by one domain and sending it to another. To ensure safe cross-domain communication, CORS sets up a protocol through the use of HTTP headers and preflight requests. For more information on the CORS protocol, see MDN’s CORS documentation.

Brightspot, GraphQL, and CORS
Brightspot GraphQL endpoints allow for a CORS Configuration with Allowed Origins and Allowed Headers settings.Any cross-domain request made to a GraphQL endpoint has its origin domain compared with those in the Allowed Origins. For any request from an allowed origin, the response will include the Access-Control-Allow-Origin header, with the value set to the origin that the request originated from. Additionally, any preflight OPTIONS requests made to the endpoint will include the Access-Control-Allow-Headers header in the response. The value of the header will specify what additional non-default headers, based on the Allowed Headers configuration, may be included in a cross-origin request. All endpoints allow Content-Type, X-API-Key, and X-Site headers.

Because the CORS protocol is automatically implemented by the browser, no additional configurations are required to make a request to GraphQL endpoints in a client application. As long as the request comes from an allowed origin and contains only valid headers, cross-origin requests will execute safely and without issue.

Previous Topic
Next Topic
Understanding persisted queries
Was this topic helpful?
Thanks for your feedback.
The elements that get you up and running in a matter of days, from pre-built content types, to modules, to landing pages.

Content types
Landing pages
Everything you need to manage and administer content within Brightspot CMS, including plug-and-play integrations.

Admin configurations
A guide for installing, supporting and administering code on the Brightspot platform, including integrations requiring developer support to use.

Field types
Content modeling
Rich-text elements