Cross-Origin Resource Sharing (CORS)

By default, EDG uses a strict same-origin policy, meaning that if a request for any resource in EDG originated from a script, that script must have been served by the EDG server, and not some other domain. Cross-Origin Resource Sharing (CORS) can be used to relax the same-origin policy, and allow content from EDG to be rendered in response to a request that originated in another domain. For example, if your web application at https://your.example.app needs to make a request to https://api.edg.server, then EDG needs to allow the origin https://your.example.app in order to share its response with your web application.

Note

For more information regarding how this protocol is implemented and enforced, visit https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.

Adding allowed origins

Allowed origins are added via the EDG setup file. The allowed origins are a comma-separated list of URLs, as follows:

corsAllowedOrigins = https://your.example.app, https://other.example.app

Using a reverse proxy

If you have a reverse proxy, such as a load balancer, in front of your EDG instance, the proxy is considered to be a different origin. Add the proxy host to the allowed origins:

corsAllowedOrigins = https://your.proxy.host

Testing your web application

For testing purposes, you can use a wildcard, which will allow all domains:

corsAllowedOrigins = *

Note

Remember to use the specific domains you wish to allow (not the wildcard *), before deploying to production.