In response to a CORS simple or preflighted request from the browser, the HCP server responds with the corresponding CORS headers.
The following table describes the CORS response headers.
Response header | Description | Request type |
---|---|---|
Access-Control-Allow-Origin |
This response header indicates whether the response can be shared with the requesting code from the origin. If no applicable CORS rule is defined on the server, the Access-Control-Allow-Origin header is not defined in the response, which causes the browser to deny access to the resource. A '*' wildcard character by itself means that the resource is public and available to everyone. Using '*' as the value of this header with credentials will result in an error. For more information, see the Access-Control-Allow-Credentials response header description in this table. |
Simple, Preflight |
Access-Control-Allow-Headers |
Returned by the server in response to a preflight request that includes the Access-Control-Request-Headers header to indicate which HTTP headers can be used during the actual request. Only returned for the OPTIONS request, not for the preflighted API call. |
Preflight |
Access-Control-Allow-Methods |
Returned by the server in response to a preflight request to specify the HTTP method or methods allowed when the actual request is made. Only returned for the OPTIONS request, not for the preflighted API call. |
Preflight |
Access-Control-Expose-Headers |
Optional: Whitelist headers that browsers are allowed to access. By default, only six simple response headers are exposed: •cache-control •content-language •content-type •expires •last-modified •pragma. Only returned for the OPTIONS request, not for the preflighted API call. |
Simple, Preflight |
Access-Control-Max-Age: delta-seconds
|
Optional: Indicates how long the results of a preflight request can be cached in the browser. | Preflight |
Access-Control-Allow-Credentials: true |
Optional: When used in a response to a preflight request, this header indicates whether the actual request can be made with credentials. For a simple request, if the header is true, the response is ignored by the browser and no content is returned to the web browser. This header works in conjunction with the credentials option (XHR or Fetch request). HCP returns the true value for this header unless the AllowedOrigin element in the CORS rules configuration is defined as "*"; in the latter case, the Access-Control-Allow-Credentials header is not returned. Note: A CORS compliant HCP server will not return the Access-Control-Allow-Credentials header when the wildcard character "*" is defined as Allow-Origin and the value of the Access-Control-Allow-Origin response header is "*". |
Simple, Preflight |
Vary |
This response header determines how to match future request headers to determine whether a cached response can be used rather than requesting a new response from the server. If the HCP server sends a response with an Access-Control-Allow-Origin value that is an explicit origin (rather than the wildcard character "*"), the response should also include a Vary response header with the Origin value to indicate that server responses can differ based on the value of the Origin request header. The value of the Vary header is a comma separated list of header names that can change. For example: Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method |
Simple, Preflight |
© 2015, 2020 Hitachi Vantara LLC. All rights reserved.