Calling an API by using CORS
CORS (cross origin resource sharing) is a technique that allows calls to be made from code that is running in a browser to a third-party server (such as APIs running on an API Connect ). These calls are, by default, not allowed as per the same origin security policy that is applied to the browser sandbox. Without CORS support, web developers are required to use more complex techniques such as server-side proxies.
About this task
Note: CORS support is available only on the DataPower® API Gateway.
API Connect
Gateway servers support
CORS to make it as easy as possible for web developers to use APIs within their web
applications.CORS is supported in the following browsers:
- Chrome 3+
- Firefox 3.5+
- Internet Explorer V11, or later
- Opera 12+
- Safari 4+
A CORS enabled browser automatically sends either a simple CORS request, consisting of
the original request with the addition of the Origin
header, or a preflight request
followed by a simple CORS request.
An example CORS preflight request is as
follows:
OPTIONS /org/env/api/resourceHTTP/1.1
User-Agent: useragent details
Access-Control-Request-Method: GET
Access-Control-Request-Headers: header names
Host: x.xx.xxx.xx
Origin: https://example.com
Accept: */*
You do not need to create CORS requests yourself, other than for testing or troubleshooting purposes.
A CORS response is received from the gateway; for
example:
HTTP/1.1 200 OK
X-Backside-Transport: FAIL FAIL
Connection: Keep-Alive
Transfer-Encoding: chunked
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers:accept, accept-language, content-type, x-ibm-client-id
Access-Control-Allow-Methods: methods allowed on the resource
Vary: Origin