HCP Tenant Management Help


CORS use cases

With a proper CORS rules configuration for a namespace, the HCP software can process CORS requests from web applications hosted in a different domain (origin).

HCP supports the following CORS use cases.

Simple request. A simple request is a request that does not trigger a CORS preflight request. A simple request meets the following conditions:

oThe method request is GET, HEAD, or POST.

oThe only headers added manually are Accept, Accept-Language, Content-Language, Content-Type, DPR, Downlink, Save-Data, Viewport-Width, Width.

oThe Content-Type header value is application/x-www-form-urlencoded, multipart/form-data, or text/plain.

oNo ReadableStream object or event listeners are registered on any XMLHttpRequestUpload object that the request uses.

Preflight request. A preflight request is a CORS request that checks to see if the CORS protocol is understood. It is an OPTIONS request that uses three HTTP request headers:

oAccess-Control-Request-Method

oAccess-Control-Request-Headers

oOrigin

A web browser automatically issues a preflight request when needed. The browser determines whether it needs to send a preflight request based on the web application request parameters used in the JavaScript code. If the HCP server approves the validity of the preflight request, the server responds with an approval response header. Then, the web browser sends the actual HTTP resource request.

If any of the following conditions is true, the browser uses a preflight request before the actual resource request:

oThe request uses the Authorization header.

oThe request uses one of these methods: PUT, DELETE, OPTIONS.

oThe request uses headers and a Content-Type other than the ones used for a simple request (described above).

oThe request contains event listeners registered on an HTMLHttpRequestUpload object or a ReadableStream object.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.