Cross-Domain Requests
Accela API supports Cross-Origin Resource Sharing
(CORS) requests which allow cross-domain communication between a browser and the server.
When the originating site sends a request from a browser that
supports CORS to the Accela API server, the browser appends the Origin
HTTP request header before sending the request to the server. In response to the
cross-domain request, the Accela API returns Access-Control HTTP headers to the
originating site.
A use case is when a web site, which is limited by the web
application security model's same-origin policy, enables CORS to securely access
data returned by the Accela API on https://apis.accela.com. For example,
if an agency web application bound by a security policy that limits its access within the
same domain needs to call Accela API on the Accela-hosted server, the agency web
application can enable CORS support on its client server before making Accela API
calls. If a sample originating site is http://www.myAgencySite.com, the browser adds the
following request header:
Origin: http://www.myAgencySite.comThe server checks
the validity of the origin site. If the origin is valid, the server sends the
Access-Control-Allow-Origin HTTP response header with the Origin value (or “*” for a public
resource). Accela API returns the following Access Control HTTP response
headers:
| HTTP Response Header | Description |
|---|---|
| Access-Control-Allow-Origin |
Returns the origin site if allowed (for example, http://www.clientSite.com; otherwise returns null. If the resource is available to the public, “*” is returned. |
| Access-Control-Allow-Credentials | Returns true indicating that the actual request can include user credentials. |
| Access-Control-Expose-Headers | Returns the header names that can be exposed, such as x-accela-traceId |
See the W3C CORS specifications for more details about cross-origin requests and CORS response headers.