Cross-Origin Resource Sharing

Select System Configuration > Network & Email > CORS.

Cross-origin Resource Sharing (CORS) allows you to specify websites hosted on other domains that can access resources from the FME Flow through Ajax requests.

Disabling and Enabling CORS

CORS is enabled by default to allow any host to access FME Flow resources.

To disable CORS

  1. Click Load Template, and select Disable CORS.
  2. Click Save Changes. (Or to cancel, click Revert Changes.)

To re-enable CORS

  1. Click Load Template, and select Allow All Hosts or Allow Specific Hosts.
  2. Configure the remaining settings, as desired (see "Updating CORS Settings", below).
  3. Click Save Changes. (Or to cancel, click Revert Changes.)

Updating CORS Settings

Configure the fields under CORS as desired, and click Save Changes. (Or to cancel, click Revert Changes.)

Note  If your installation of FME Flow is configured for fault tolerance, you must restart the FME Flow Application Server on all machines after updating CORS settings.
  • Allowed Origins: A comma-separated list of hosts that are allowed access to the FME Flow. An * allows access from any host. An * cannot be specified if any origins are passing credentials. For an example of how to specify the list of hosts, click Load Template and select Allow Specific Hosts.
  • Allowed Methods: A comma-separated list of HTTP methods that may be used in requests from the allowed origins.
  • Allowed Headers: A comma-separated list of permitted request headers from the allowed origins. A request header is any custom header set by the browser JavaScript application through method XMLHttpRequest.setRequestHeader().
  • Exposed Headers: A comma-separated list of non-standard response headers that are safe to expose to the requestor (initiated through the XMLHttpRequest.getResponseHeader() method). This information is returned in the Access-Control-Expose-Headers response header.
  • Pre-flight Max Age: Specifies how long, in seconds, the results of a pre-flight request can be cached by the requestor. This information is returned in the Access-Control-Max-Age response header.
  • Supports Credentials: If True, allows the requestor to include credentials to authorize with the FME Flow, including cookies, HTTP authentication (tokens), or client-side certificates. This value is returned in the Access-Control-Allow-Credentials response header.