7.2. CORS problems and headers

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.

For more info see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

To avoid CORS problems, you need to set the following headers in each response you send to BOA.

cOrigin := oThread:HTTPRequest:origin()

oThread:HTTPResponse:setheader('Access-Control-Allow-Origin', cOrigin)

oThread:HTTPResponse:setheader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS' )

oThread:HTTPResponse:setheader('Access-Control-Allow-Headers', 'Origin, Content-Type, Content-Disposition, Content-Transfer-Encoding, X-Auth-Token, Authorization)

oThread:HTTPResponse:setheader('Access-Control-Expose-Headers', 'Content-Disposition')

The above syntax is for Xbase++ developers. Check in your language how you can get the origin of the request so you can set it back in the header.