Using CORS in Xapix

CORS and Xapix

Cross-Origin Resource Sharing (CORS) uses specific HTTP headers that allows a web application running on a server (an origin) to access specific resources on a different origin. An example of a CORS request is JavaScript code from https://initial-origin.com making a request to https://different-origin.com/data.json.

We consider two CORS scenarios: CORS Preflight Handshakes and Simple Requests.

CORS Preflight

Xapix does not support requests that trigger a CORS preflight. This type of CORS request uses the HTTP OPTIONS method to first determine if the actual request is safe to send. If safe, then the actual request can then be sent. This is a CORS handshake.

Simple Requests

Xapix support requests that do not trigger a CORS preflight. These are called Simple Requests. Consequently, Xapix supports, in the context of CORS requests, all GET and POST requests under certain conditions.

Consequently, if you use a Xapix REST pipeline as a backend such as JavaScript on a website, you will need to create a workaround.

For more information about CORS preflight handshake, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests.

For more information about Simple Requests, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests.

CORS Workaround

You can use the following CORS workaround if a Xapix REST pipeline is used as a backend.

  • Create HTTP / REST GET and POST pipelines but not PUT, PATCH or DELETE requests.

  • For POST requests, the header Content-Type must be set to application/x-www-form-urlencoded while the body payload must be URL-encoded by hand, for example, in javascript with a function such as:

/**
* @param {Object} object
* @return {string}
*/
export function toFormUrlEncoded(object) {
return Object.entries(object)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join('&');
}
  • For CORS requests, set header to Access-Control-Allow-Originon the pipeline endpoint responses.