CORS

From Group-Office Groupware and CRM Documentation
Jump to: navigation, search

Cross-origin resource sharing (CORS) is a mechanism that allows JavaScript on a web page to make XMLHttpRequests to another domain, not the domain the JavaScript originated from.[1] Such "cross-domain" requests would otherwise be forbidden by web browsers, per the same origin security policy. CORS defines a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request.[2] It is more useful than only allowing same-origin requests, but it is more secure than simply allowing all such cross-origin requests.

Allowing access to Group-Office from another domain could be useful for development:


You need at least Group-Office 5.0.25 for this to work.

The following config.php parameters will allow any origin. Note that this is insecure and you should restrict the origins:

$config['extra_headers']=array('Access-Control-Allow-Origin: http://localhost http://example.foo', //Wildcard * doesn't work with credentials. Login will work but further communication fails
                'Access-Control-Allow-Credentials: true',
                'Access-Control-Allow-Headers: x-requested-with, content-type',
                'Access-Control-Allow-Methods: POST, GET, OPTIONS');