.. include:: /includes.rst.txt .. comments - headings # with overline, for parts * with overline, for chapters = for sections - for subsections ^ for subsubsections " for paragraphs * for H5 + for H6 .. index:: Cross-Origin Resource Sharing .. _cross_origin_resource_sharing: Cross-Origin Resource Sharing (CORS) ==================================== By default, EDG uses a strict same-origin policy, meaning that if a request for any resource in EDG originated from a script, that script must have been served by the EDG server, and not some other domain. **Cross-Origin Resource Sharing** (CORS) can be used to relax the same-origin policy, and allow content from EDG to be rendered in response to a request that originated in another domain. For example, if your web application at https://your.example.app needs to make a request to https://api.edg.server, then EDG needs to allow the origin https://your.example.app in order to share its response with your web application. .. note:: For more information regarding how this protocol is implemented and enforced, visit https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS. Adding allowed origins ---------------------- Allowed origins are added via the EDG :ref:`setup file `. The allowed origins are a comma-separated list of URLs, as follows: .. code-block:: properties corsAllowedOrigins = https://your.example.app, https://other.example.app Using a reverse proxy --------------------- If you have a reverse proxy, such as a load balancer, in front of your EDG instance, the proxy is considered to be a different origin. Add the proxy host to the allowed origins: .. code-block:: properties corsAllowedOrigins = https://your.proxy.host Testing your web application ---------------------------- For testing purposes, you can use a wildcard, which will allow *all* domains: .. code-block:: properties corsAllowedOrigins = * .. note:: Remember to use the specific domains you wish to allow (*not* the wildcard \*), before deploying to production.