Calling an API by using CORS

CORS (cross origin resource sharing) is a technique that allows calls to be made from code that is running in a browser to a third-party server (such as APIs running on an API Connect Gateway). These calls are, by default, not allowed as per the same origin security policy that is applied to the browser sandbox. Without CORS support, web developers are required to use more complex techniques such as server-side proxies.

About this task

API Connect Gateway servers support CORS to make it as easy as possible for web developers to use APIs within their web applications.
CORS is supported in the following browsers:
  • Chrome 3+
  • Firefox 3.5+
  • Internet Explorer V11, or later
  • Opera 12+
  • Safari 4+

A CORS enabled browser automatically sends either a simple CORS request, consisting of the original request with the addition of the Origin header, or a preflight request followed by a simple CORS request.

An example CORS preflight request is as follows:
OPTIONS /org/env/api/resourceHTTP/1.1
User-Agent: useragent details
Access-Control-Request-Method: GET
Access-Control-Request-Headers: header names
Accept: */*

You do not need to create CORS requests yourself, other than for testing or troubleshooting purposes.

A CORS response is received from the gateway; for example:
HTTP/1.1 200 OK
X-Backside-Transport: FAIL FAIL 
Connection: Keep-Alive
Transfer-Encoding: chunked
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers:accept, accept-language, content-type, x-ibm-client-id
Access-Control-Allow-Methods: methods allowed on the resource
Vary: Origin