How do you enable cross origin resource sharing (CORS) for Sugar 7 REST API?

A recently asked question that I've decided to answer here in the community so all can benefit since I did not see it asked here previously.

How do you enable cross origin resource sharing for Sugar 7 REST API?

Cross Origin Resource Sharing (CORS) allows clients to selectively by-pass the Same-origin policy implemented by web browsers. The Same-origin policy prevents web pages from accessing data from a different origin than the current one for security reasons. In particular, this prevents any arbitrary JavaScript web app from calling the Sugar 7 REST API directly using AJAX. CORS is the accepted standard for allowing cross origin requests that would otherwise be prevented.

For more details on what CORS means, check out this great resource.
http://enable-cors.org/index.html

0 Matt Marum over 5 years ago
While CORS isn't enabled by default in Sugar 7 for security reasons, you can configure it within your Apache HTTP Server to allow cross origin requests to your Sugar installation. This can be set up by adding the Access-Control-Allow-Origin header using an Apache configuration setting as documented at http://enable-cors.org/server.html

For example, you can modify your .htaccess file at the root of your Sugar installation and add the following directive.

<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "http://example.com"
</IfModule>
Replacing the URL above with the origin where you want to allow data to be shared. It is also possible to use the "*" wildcard to allow requests from any origin. This is convenient for development purposes but should never be used in production.
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
For more information about utilizing browser support for CORS, check out http://enable-cors.org/client.html
Cancel
Up +3 Down

Reply

Reject Answer

Cancel
0 Daniel Risso Elliot 22 days ago in reply to Matt Marum

Matt Marum Is posible to modify this with an OnCloud instance?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Matt Marum 18 days ago in reply to Daniel Risso Elliot

Hi Daniel. No, not at this time.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Jeroen Somhorst 17 days ago in reply to Matt Marum

Why is it disabled 'for security reasons' ?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Matt Marum 12 days ago in reply to Jeroen Somhorst

The same origin policy that's implemented by web browsers is a security feature that we want to remain enabled by default. You could imagine a malicious webpage hosted on an arbitrary domain that pretends to be Sugar, it allows a user to login and see the data that they expected, but in reality it could be stealing your information. Many users could be tricked into using such a web app if they click on a link in an email, etc.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel