Example CORS JSON configuration
Here is example content for cors-rules.json.
This sample JSON file content illustrates these important points:
- Rules precedence Rules are evaluated in the order they appear in the file and evaluation stops once a match is found. In this example, the first two rules both apply to the origins http://this.example.com and http://that.example.com. The first allows read-only access ("GET") to resources that match /api/data/documents. The second allows read-write access to other resources that match /api/data. Since /api/data/documents is more specific than /api/data, it MUST come first. If the order of the two rules is reversed, the CORS filter ignores the /api/data/documents rule because requests for /api/data/documents match /api/data.
- Credentials The first two rules allow credentials (
"allowCredentials": true
), but the third rule does not. Since the Domino Access Services (DAS) freebusy API is meant to allow anonymous requests, there is no need to accept credentials for requests matching /api/freebusy. - Default behavior Cross-origin requests are disabled when no matching rule is found for a resource. There is no rule for resources matching /api/calendar. Therefore the following configuration disables cross-origin requests for the DAS calendar API. The default is always to disable cross-origin requests.
{
"version": "1.0",
"rules": [
{
"resource": {
"path": "/api/data/documents"
},
"allowOrigins": [ "http://this.example.com", "http://that.example.com" ],
"allowMethods": [ "GET" ],
"allowCredentials": true
},
{
"resource": {
"path": "/api/data"
},
"allowOrigins": [ "http://this.example.com", "http://that.example.com" ],
"allowMethods": [ "GET", "POST", "PUT", "DELETE" ],
"allowCredentials": true
},
{
"resource": {
"path": "/api/freebusy"
},
"allowOrigins": [ "http://this.example.com" ],
"allowMethods": [ "GET" ]
}
]
}