8.55 – Cross-Origin Resource Sharing

In PeopleTools 8.55, Cross-Orign Resource Sharing (CORS) is now supported. Don’t know what CORS allows? Here is a good primer on the topic.

The Same-Origin Policy restricts the browser from performing certain actions by scripts or documents based on the origin. The origin is everything in the URL before the path (for example, http://www.example.com). For certain actions, the browser will compare origins and, if they don’t match, won’t allow things to proceed. For example:

  • A parent document can’t access the contents of an that comes from a different origin. This prevents a malicious site from opening up your bank’s website and stealing your credentials, as an example.
  • While one document can send information to another via a form post, AJAX requests across origins are generally disallowed.

The Same-Origin Policy is a vital piece of web security architecture, but it also poses a problem. What happens when you want to allow a site with a different origin to access your content?

Here is a great example of where CORS support can benefit PeopleSoft. In Enterprise Learning Management, you can link to hosted web-based training. Often, that web-based training is on a different domain. With CORS support, you can add in remote sites in the Web Profile and display remote courses in your ELM environment.

To enable Cross-Origin sites, open your Web Profile. There is a new tab, Authorized Site, that lets you list many sites to support.

6 thoughts on “8.55 – Cross-Origin Resource Sharing

  1. Have you seen any evidence of the CORS settings being included in ACM templates yet? I gave it a quick look and did not see them. I am going to open a ticket to see if exists, but is not yet documented.

    1. No, I haven’t. That would be a good feature to add to the ACM. Until then, a SQL update would be easy enough to run.

      1. Thanks Dan, I have the SQL update on my list if it doesn’t get added soon. I just want to put it in my existing hiera šŸ™‚

        Particularly after I learned from your site the other day that I could add a config_settings hash to the webserver definitions in hiera and save writing my own WLST scripts for WebLogic Config. I was well on my way to re-inventing several wheels.

        I will throw an Idea on Oracle Support. I have a few others on there, i’m not sure how much traction they have generated. I did fire of an SR so we’ll see if that gets to development. Several of my other puppet related SRs have.

    2. Another option is to create an Idea on the Oracle Community site. People can upvote the idea to help it gain steam.

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax