Wednesday, October 30, 2019

Cross Origin Resource Sharing (CORS)

Usually our Pega application would be hosted on a server which has a domain (https://SampleDomain1). And all the resources which our Pega application needs would reside in the same server location and can be accessed via URL from browser.

Assume that there is a scenario where our Pega application would need to invoke the URL of other domain to load some details.That means a redirect should happen from Pega application to other domain URL. For security reasons, this would be disabled by default.

This scenario cries for a resource to be shared across multiple domains(origins). And that is called Cross Origin Resource Sharing (CORS).

Note: Origin is a term we can use to refer to the request origin.

Example:

To allow a user already in https://SampleDomain1 to be redirected to https://SampleDomain2, configuration needs to be made at SampleDomain2 to allow requests from SampleDomain1 (by using whitelisting method).

https://SampleDomain1
https://SampleDomain2

SampleDomain2 should whitelist by using the below HTTP header.
Access-Control-Allow-Origin : https://SampleDomain1

Note: Access-Control-Allow-Orgin : * would mean that any resource can access it. And this could lead to other security issues.

Pega made this simple by introducing a rule under security category : "Cross Origin Resource Sharing". Login to Designer Studio and navigate to Records >> Security >> Cross Origin Resource Sharing (as highlighted in below screenshot).

In my next post: I would have a real-time usecase which would demonstrate the same. In the mean-time you can explore the HTTP header Access-Control-Allow-Orgin. - It would become interesting if you use Fiddler/Developer Tools >> Network to look into HTTP requests which involves cross domain for this header. Thank you!

Thank you!

4 comments:

  1. Hi Pavan
    Can you please explain about this Scenarios with screenshots example

    ReplyDelete
    Replies
    1. Sure. Thanks for the feedback. I would post in couple of weeks, and would tag it to this post.

      Delete
  2. Hi..Waiting for this scenario. Could you please make a post on this

    ReplyDelete


HowToPega : All rights reserved and the contents are copyrighted to Pavan Kumar Naidu