Cross-Origin Resource Sharing
This topic explains what CORS is, and how to configure it in your application.
Introduction to CORS
Cross-Origin Resource Sharing (CORS) is a mechanism that allows requests for data from one domain to be retrieved by another domain. Ordinarily, under the same-origin security policy, AJAX requests that target a domain other than the one serving the current page would fail. This is done for a variety of reasons; from simply disabling modification access (e.g. POST
or DELETE
requests) from foreign domains, to preventing malicious scripts from retrieving sensitive data used by one domain and sending it to another. To ensure safe cross-domain communication, CORS sets up a protocol through the use of HTTP headers and preflight requests. For more information on the CORS protocol, see MDN’s CORS documentation.
Brightspot, GraphQL, and CORS
Brightspot GraphQL endpoints allow for a CORS Configuration with Allowed Origins and Allowed Headers settings.Any cross-domain request made to a GraphQL endpoint has its origin domain compared with those in the Allowed Origins. For any request from an allowed origin, the response will include the Access-Control-Allow-Origin header, with the value set to the origin that the request originated from. Additionally, any preflight OPTIONS requests made to the endpoint will include the Access-Control-Allow-Headers header in the response. The value of the header will specify what additional non-default headers, based on the Allowed Headers configuration, may be included in a cross-origin request. All endpoints allow Content-Type, X-API-Key, and X-Site headers.
Because the CORS protocol is automatically implemented by the browser, no additional configurations are required to make a request to GraphQL endpoints in a client application. As long as the request comes from an allowed origin and contains only valid headers, cross-origin requests will execute safely and without issue.