Cross-Domain Requests

Accela Construct API supports Cross-Origin Resource Sharing (CORS) requests which allow cross-domain communication between a browser and the server. When the originating site sends a request from a browser that supports CORS to the Accela Construct API server, the browser appends the Origin HTTP request header before sending the request to the server. In response to the cross-domain request, the Accela Construct API returns Access-Control HTTP headers to the originating site.

A use case is when a web site, which is limited by the web application security model's same-origin policy, enables CORS to securely access data returned by the Accela Construct API on https://apis.accela.com. For example, if an agency web application bound by a security policy that limits its access within the same domain needs to call Accela Construct API on the Accela-hosted server, the agency web application can enable CORS support on its client server before making Accela Construct API calls. If a sample originating site is http://www.myAgencySite.com, the browser adds the following request header:

Origin: http://www.myAgencySite.com

The server checks the validity of the origin site. If the origin is valid, the server sends the Access-Control-Allow-Origin HTTP response header with the Origin value (or “*” for a public resource). Accela Construct API returns the following Access Control HTTP response headers:

HTTP Response Header Description
Access-Control-Allow-Origin

Returns the origin site if allowed (for example, http://www.clientSite.com; otherwise returns null.

If the resource is available to the public, “*” is returned.

Access-Control-Allow-Credentials Returns true indicating that the actual request can include user credentials.
Access-Control-Expose-Headers Returns the header names that can be exposed, such as x-accela-traceId

See the W3C CORS specifications for more details about cross-origin requests and CORS response headers.