CORS Enabled Browser-Based Applications

Cross-Origin Resource Sharing (CORS) is a specification that allows scripts from one domain to make requests to another domain.

When a browser-based application, such as a JavaScript or jQuery application, sends a request to a domain other than the one it is hosted in, it is called a cross domain request. All valid CORS requests are accompanied by an origin header, which is added automatically by the browser. SAP Mobile Platform can handle all the received CORS requests.

The response headers that are added to all valid CORS requests received by SAP Mobile Platform include:

Access-Control-Allow-Origin – origin value as specified in the request header.
Access-Control-Allow-Credentials – when set to true, enables credential requests and requests accompanied with cookies.
Access-Control-Expose-Headers – to include any custom header in the application, the list of exposed headers must be set as the value in this header.
Note: If the backend does not explicitly specify Access-Control-Expose-Headers, SAP Mobile Platform adds all response headers (except for simple HTTP headers and set-cookie header) to this header value, allowing the browser application to access all the headers from the backend response.

In case of a pre-flight (HTTP OPTIONS) request, SAP Mobile Platform adds these headers to the response:

Access-Control-Allow-Methods – Based on the request URL:
- POST for onboarding URL
- GET, PUT, DELETE for application settings URL
- GET for resource bundle URL
- Value of Access-Control-Request-Method header for all other URLs
Access-Control-Allow-Headers – Access-Control-Request-Headers header value as specified in request.
Access-Control-Max-Age – the time period for which the browser caches the results of the pre-flight request is by default, 3600 seconds.

Browser Restrictions with CORS

Internet Explorer versions 9 and earlier do not support CORS-enabled browser-based applications.
Safari supports Document Object Model (DOM) parsing with restrictions.