You are here: Web User Interface > Using the Interface > System Configuration > CORS

Cross-Origin Resource Sharing

Select System Configuration > CORS.

Cross-origin Resource Sharing (CORS) allows you to specify websites hosted on other domains that can access resources from the FME Server through Ajax requests.

Note: You must have Manage Security permission to configure CORS. For more information, see Users or Roles.

Disabling and Enabling CORS

CORS is enabled by default to allow any host to access FME Server resources.

To disable CORS

  1. Click Load Template, and select Disable CORS.
  2. Click Save Changes. (Or to cancel, click Revert Changes.)

To re-enable CORS

  1. Click Load Template, and select Allow All Hosts or Allow Specific Hosts.
  2. Configure the remaining settings, as desired (see "Updating CORS Settings", below).
  3. Click Save Changes. (Or to cancel, click Revert Changes.)

Updating CORS Settings

Configure the fields on the CORS page as desired, and click Save Changes. (Or to cancel, click Revert Changes.)

Note: If your installation of FME Server is configured for fault tolerance, you must restart the FME Server Application Server on all machines after updating CORS settings.

  • Allowed Origins: A comma-separated list of hosts that are allowed access to the FME Server. An * allows access from any host. An * cannot be specified if any origins are passing credentials. For an example of how to specify the list of hosts, click Load Template and select Allow Specific Hosts.
  • Allowed Methods: A comma-separated list of HTTP methods that may be used in requests from the allowed origins.
  • Allowed Headers: A comma-separated list of permitted request headers from the allowed origins. A request header is any custom header set by the browser JavaScript application through method XMLHttpRequest.setRequestHeader().
  • Exposed Headers: A comma-separated list of non-standard response headers that are safe to expose to the requestor (initiated through the XMLHttpRequest.getResponseHeader() method). This information is returned in the Access-Control-Expose-Headers response header.
  • Pre-flight Max Age: Specifies how long, in seconds, the results of a pre-flight request can be cached by the requestor. This information is returned in the Access-Control-Max-Age response header.
  • Supports Credentials: If True, allows the requestor to include credentials to authorize with the FME Server, including cookies, HTTP authentication (tokens), or client-side certificates. This value is returned in the Access-Control-Allow-Credentials response header.