Documentation Center

The Content Service and CORS (Cross-Origin Resource Sharing)

By default, the Content Service follows same-origin policy and therefore disables CORS (Cross-Origin Resource Sharing, also called Cross-Site Resource Sharing). As a result, cross-origin HTTP requests made from any endpoint in any API to the Content Service normally fail. However, CORS is enabled for a number of endpoints in the Public Content API.

You can verify that CORS is disabled by making the following HTTP request from any web container, say, Apache Tomcat:
<!DOCTYPE html>
<html>
  <head>
    <title>Content Service CORS test</title>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
    <script ty[e="text/javascript">
      $(document).ready(function() {
        $.ajax({
          url: "http://localhost:8081/client/v2/content.svc/"
        }).then(function(data, status, jqxhr) {
          $('.content-service-content').append(data);
          console.log(jqxhr);
        });
      });
    </script>
  </head>
  <body>
    <div>
      <p class="content-service-content">Resource unavailable with CORS</p>
    </div>
  </body>
</html>

This request should yield a 401 error, with the following error message: No 'Access-Control-Allow-Origin' header is present on the requested resource.

In all Content Service APIs (such as the RESTful API), CORS is disabled for all endpoints.

In the Public Content API, CORS is disabled for the GraphQL endpoint at the relative URL /cd/api/graphiql, but enabled for the following endpoints:
  • /cd/api/ (using POST method)
  • /cd/api/ (using GET method)
  • /cd/api/binary/NSID/PUBID/BINID (using GET method)
  • /cd/api/binary/NSID/PUBID/BINID/VARID (using GET method)

where:

  • NSID is your namespace identifier (a number)
  • PUBID is your publication identifier (a number)
  • BINID is the identifier of your binary resource (a number)
  • VARID is the (URL-encoded) identifier of your variant