| default |
describes the base resource-sharing setting of the application |
String |
“same-origin” |
“same-origin”, “cors”, “jsonp” |
| _compensatingControl |
describes whether there is some other tool or process in place to handle this |
Boolean |
false |
true, false |
| corsSettings |
|
|
|
|
| enabled |
describes whether this part of the policy is enabled or not |
Boolean |
false |
true, false |
| config |
how the cors policy will be enacted |
|
|
|
| whitelist |
the list of allowed origins & associated methods |
JSON Object or null |
null |
example => “{ “http://example.com": [“GET”, “PUT”, “POST”, “PATCH”, “DELETE”], “https://www.other-example.com" :[“POST”]}” |
| preflightRequests |
when should requests be preflighted |
|
|
|
| onMethod |
which methods to force preflight requests on |
String Array |
[“put”,“delete”,“connect”,“options”,“trace”, |
|
| “patch”] |
Any HTTP method |
|
|
|
| onHeader |
which headers require pre-flight methods |
String Array |
![“accept”,“accept-language”,“content-language”,“dpr”,“save-data”,“viewport-width”,“width”] |
See preflight request requirments for headers |
| maxAge |
_how long (in seconds) to cache the response to the pre-flight request |
Number (int) |
3600 |
Any integer >=0 (0 = don’t cache the response) |
| responseHeaders |
CORS response headers |
JSON or null |
{“allowOrigin”: true,“allowCredentials”: true,“allowedHeaders”: false,“allowMethod”: true,“exposeHeaders”: false,“setMaxAge”: true} |
Any CORS-standard response header |