Configuring CORS Support
Cross-Origin Resource Sharing (CORS) Support
CORS is a web security technique that uses a set of headers to control and secure web applications. Full CORS support for the Delivery Tier applications was introduced in 5.4 Update 233. All modern web browsers and servers provide support for CORS. Follow these links for more detailed information on CORS and Content Security Policy (CSP).
Why do we need CORS?
CORS provides support for applications that request content / data from a server that is different than the web server that is hosting a published website. This may happen in your architecture if the DTS Server is installed on a separate server from the web server.
Example:
CMS Server: https://percussion.mysite.com
Web Server: https://www.mysite.com
DTS Server: https://dts.mysite.com
When a website visitor accesses content on https://www.mysite.com any Widgets that use the DTS applications (Comments, Forms, Lists, RSS, etc) will call services on https://dts.mysite.com.
This is a cross origin request and browsers will block the request for security purposes unless CORS headers are passed correctly by the web server / web application.
This also applies to requests made from the CMS UI. When editing or previewing requests can be blocked without CORS configuration.
CORS and Content Security Policy Configuration
CORS support is configured by editing the following configuration files, note that you may need to create this file if it is not present in your deployment:
<InstallDir>/Deployment/Server/conf/perc/perc-security.properties
ContentSecurityPolicy=default-src * data\: https\: *.percussion.com *.percussion.marketing
*.percussion.services ; img-src * 'self' data\: https\: 'unsafe-inline' 'unsafe-eval'; font-src *
'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval' *.siteimprove.net ; style-src *
'unsafe-inline' 'unsafe-eval'; frame-src * 'self' data\: https\: *.percussion.com *.percussion.marketing *.percussion.services
'unsafe-inline' 'unsafe-eval'; frame-ancestors * 'self' ;
Access-Control-Allow-Origin=*
A default Content Security Policy (CSP) and CORS configuration are provided. The default entry of * for Access-Control-Allow-Origin is permissive and allows any web server to call the DTS services. This can be updated to add one or more named origin web servers to lock requests down to be allowed from just those servers. In the example above we would add allowed origins for both the Percussion CMS server and for the Web Server:
Access-Control-Allow-Origin=www.mysite.com,percussion.mysite.com
This will tell web browsers and the server that the DTS should only accept requests that were referred from those hosts. A host entry should be added to the origin list for every hostname (test, dev, staging etc) that may be used to access the DTS.
After saving this change, the DTS service must be restarted.