8.55 – Cross-Origin Resource Sharing

peopletools security web server Jan 11, 2016

Dan Iverson

In PeopleTools 8.55, Cross-Orign Resource Sharing (CORS) is now supported. Don’t know what CORS allows? Here is a good primer on the topic.

The Same-Origin Policy restricts the browser from performing certain actions by scripts or documents based on the origin. The origin is everything in the URL before the path (for example, http://www.example.com). For certain actions, the browser will compare origins and, if they don’t match, won’t allow things to proceed. For example:

  • A parent document can’t access the contents of an that comes from a different origin. This prevents a malicious site from opening up your bank’s website and stealing your credentials, as an example.
  • While one document can send information to another via a form post, AJAX requests across origins are generally disallowed.

The Same-Origin Policy is a vital piece of web security architecture, but it also poses a problem. What happens when you want to allow a site with a different origin to access your content?

Here is a great example of where CORS support can benefit PeopleSoft. In Enterprise Learning Management, you can link to hosted web-based training. Often, that web-based training is on a different domain. With CORS support, you can add in remote sites in the Web Profile and display remote courses in your ELM environment.

To enable Cross-Origin sites, open your Web Profile. There is a new tab, Authorized Site, that lets you list many sites to support.

 


Note: This was originally posted by Dan Iverson and has been transferred from a previous platform. There may be missing comments, style issues, and possibly broken links. If you have questions or comments, please contact [email protected].