The Content Service and CORS (Cross-Origin Resource Sharing)
By default, the Content Service follows same-origin policy and therefore disables CORS (Cross-Origin Resource Sharing, also called Cross-Site Resource Sharing). As a result, cross-origin HTTP requests made from any endpoint in any API to the Content Service normally fail. However, CORS is enabled for a number of endpoints in the Public Content API.
<!DOCTYPE html>
<html>
<head>
<title>Content Service CORS test</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
<script ty[e="text/javascript">
$(document).ready(function() {
$.ajax({
url: "http://localhost:8081/client/v2/content.svc/"
}).then(function(data, status, jqxhr) {
$('.content-service-content').append(data);
console.log(jqxhr);
});
});
</script>
</head>
<body>
<div>
<p class="content-service-content">Resource unavailable with CORS</p>
</div>
</body>
</html>
This request should yield a 401 error, with the following error message: No 'Access-Control-Allow-Origin' header is present on the requested resource.
In all Content Service APIs (such as the RESTful API), CORS is disabled for all endpoints.
- /cd/api/ (using POST method)
- /cd/api/ (using GET method)
- /cd/api/binary/NSID/PUBID/BINID (using GET method)
- /cd/api/binary/NSID/PUBID/BINID/VARID (using GET method)
where:
- NSID is your namespace identifier (a number)
- PUBID is your publication identifier (a number)
- BINID is the identifier of your binary resource (a number)
- VARID is the (URL-encoded) identifier of your variant