Calling an API by using CORS
CORS (cross origin resource sharing) is a technique that allows calls to be made from code that is running in a browser to a third-party server (such as APIs running on an API Connect Gateway). These calls are, by default, not allowed as per the same origin security policy that is applied to the browser sandbox. Without CORS support, web developers are required to use more complex techniques such as server-side proxies.
API Connect Gateway servers support CORS to make it as easy as possible for web developers to use APIs within their web applications.
About this task
CORS is supported in the following browsers:
- Chrome 3+
- Firefox 3.5+
- Internet Explorer V11, or later
- Opera 12+
- Safari 4+
A CORS enabled browser automatically sends either a simple CORS request, consisting of
the original request with the addition of the
Origin header, or a preflight request
followed by a simple CORS request.
An example CORS preflight request is as follows:
OPTIONS /org/env/api/resourceHTTP/1.1 User-Agent: useragent details Access-Control-Request-Method: GET Access-Control-Request-Headers: header names Host: x.xx.xxx.xx Origin: https://example.com Accept: */*
You do not need to create CORS requests yourself, other than for testing or troubleshooting purposes.
A CORS response is received from the gateway; for example:
HTTP/1.1 200 OK X-Backside-Transport: FAIL FAIL Connection: Keep-Alive Transfer-Encoding: chunked Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Credentials: true Access-Control-Allow-Headers:accept, accept-language, content-type, x-ibm-client-id Access-Control-Allow-Methods: methods allowed on the resource Vary: Origin