You are here: Web User Interface > Using the Interface > CORS

Cross-Origin Resource Sharing

Select Manage > Administration > CORS.

Cross-origin Resource Sharing (CORS) allows you to specify websites hosted on other domains that can access resources from the FME Server through Ajax requests.

CORS is disabled by default. To enable CORS:

  1. Click Load Template, and select Allow All Hosts or Allow Specific Hosts.
  2. Configure the remaining settings, as desired.
  3. Click Save and Apply.


Allowed Origins

A comma-separated list of hosts that are allowed access to the FME Server. An * allows access from any host. An * cannot be specified if any origins are passing credentials. For an example of how to specify the list of hosts, click Load Template and select Allow Specific Hosts. To disable CORS, leave this field blank.

Allowed Methods

A comma-separated list of HTTP methods that may be used in requests from the allowed origins.

Allowed Headers

A comma-separated list of permitted request headers from the allowed origins. A request header is any custom header set by the browser JavaScript application through method

Exposed Headers

A comma-separated list of non-standard response headers that are safe to expose to the requestor (initiated through the XMLHttpRequest.getResponseHeader() method). This information is returned in the Access-Control-Expose-Headers response header.

Pre-flight Max Age

Specifies how long, in seconds, the results of a pre-flight request can be cached by the requestor. This information is returned in the Access-Control-Max-Age response header.

Supports Credentials

If True, allows the requestor to include credentials to authorize with the FME Server, including cookies, HTTP authentication (tokens), or client-side certificates. This value is returned in the Access-Control-Allow-Credentials response header.