Configure CORS for AdminUI, OAuth and your applications
About this task
The CORS protocol is designed to prevent accidental data leakage. A client, such as a browser, curl, Postman, Bruno, presents an origin
to Domino REST API to gain access to valid responses. Browsers do that automatically when the origin schema, hostname, or port differ from Domino REST API. Command line or developer tools like curl or Bruno don't automatically send the origin
header and thus aren't subject to a CORS check. The same applies to server code like NodeJS, Java, or GO.
You can avoid CORS
Domino REST API allows to host your static applications, which doesn't require additional CORS setup besides your host.
Procedure
Assuming the following setup:
- Your Domino REST API host is
https://drapi.company.com:8880
. - You have multiple servers hosting static applications:
https://sales.company.com
andhttps://***.otherdomain.com
(running on different ports). - For development, you want to allow
http://localhost:5438
.
CORS mapping uses Java Regular Expressions (Regex).
Use a Regex tool
Regex can be hard to decipher and understand due to their syntax and flexibility. To test if a Regex does what you want, use an online interactive tool for validation. Make sure to pick the Java flavor.
Create a JSON file in keepconfig.d
, for example cors.json
, that contains one element per regex with the value true
. If you need to temporarily disable an entry, you can set it to false. Make sure you understand Domino REST API configuration.
The regex for https://drapi.mycompany.com:8880
is https:\\/\\/.drapi\\.mycompany\.com:8880$
Note
Inside JSON, the \
of Regex gets escaped to \\
.
A few pointers
^
→ beginning of the stringhttp
→ the literal stringhttp
s?
→ optional the strings
\\/
→ double escape the string/
.*
→ one or more characters of any type\\.
→ double escape the string.
(?:\\:\\d+)?
→ double escaped optional colon and port number$
→ end of string
Expected result
{
"CORS": {
"^https?:\\/\\/localhost(?:\\:\\d+)?$": true,
"^https:\\/\\/.*\\.otherdomain\\.com(?:\\:\\d+)?$": true,
"^https:\\/\\/drapi.company\\.com\\:8880$": true,
"^https:\\/\\/sales.company\\.com$": true
}
}
You need to include your host
The CORS implementation is designed to be restrictive. any HTTP request presenting an origin
header will be checked against your configuration and denied if no match can be found. The CORS specification states:
Ultimately, server developers have a lot of freedom in how they handle HTTP responses and these tactics can differ between the response to the CORS-preflight request and the CORS request that follows it.
We decided on the side of caution and fail any request that is not a match for a presented origin
header. As a result, you have to include your Domino REST API host in your CORS setup.
Tip
To check Domino REST API settings, see Check Domino REST API settings.
Calling Domino REST API from your browser-based application
You can use the browser's build in Fetch API with a simple function:
const drapiFetch = async (url, method, token, body) => {
const options = {
method: method,
mode: 'cors',
headers: {
Authorization: `Bearer ${token}`
}
};
if (body) {
options.body = JSON.stringify(body);
}
const response = await fetch(url, options);
if (!response.ok) {
throw new Error('Fetch failed');
}
const json = await response.body.json();
return json;
};
This is just an example, you need to add error handling. To deal with chunked responses, check this out.
Let's connect
We really like to hear from you!
Your opinion matters. Let us know all your:
- questions
- discussions
- ideas
- feedback
Join the OpenNTF Discord channel.