Version 2, last updated by johan.a.prinsloo at 19 Jan 22:18 UTC

Decrease font size Decrease font size

Increase font size Increase font size

Print this page Print this page

Cross Origin Resource Sharing

The W3C has a working draft of a new standard to allow safe cross origin access from web pages:
Cross-Origin Resource Sharing Draft

This useful functionality does however place a burden on web servers to expose specific headers during GET, PUT, POST, DELETE requests and during “pre-flight” calls to OPTIONS.

Lift allows us a quick way to set the required headers in the Boot class:


    LiftRules.supplimentalHeaders = s => s.addHeaders(
      List(HTTPParam("X-Lift-Version", LiftRules.liftVersion),
        HTTPParam("Access-Control-Allow-Origin", "*"),
        HTTPParam("Access-Control-Allow-Credentials", "true"),
        HTTPParam("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS"),
        HTTPParam("Access-Control-Allow-Headers", "WWW-Authenticate,Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type")
      ))

It is efficient to handle the pre-flight OPTIONS calls in a reverse proxy server like nginx.
Example nginx configuration:


 location / { 
         if ($request_method = 'OPTIONS') { 
           add_header 'Access-Control-Allow-Origin' '*'; 
           add_header 'Access-Control-Allow-Credentials' 'true'; 
           add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS'; 
           add_header 'Access-Control-Allow-Headers' 'Keep-Alive,User-Agent,X-Requested-With,.......'; 
           add_header 'Access-Control-Max-Age' 1728000; 
           add_header 'Content-Type' 'text/plain charset=UTF-8'; 
           add_header 'Content-Length' 0; 
           return 200; 
        } 
:
}

Note: Authenticated cross domain calls do not work with 

 'Access-Control-Allow-Origin' '*'
you have to designate specific target domains.