CORS (Cross-origin resource sharing)

CORS (Cross-origin resource sharing) is a web browser specification that defines a way for a web browser and web client to interact in such a way that cross-origin (requests to a server in a different domain) are allowed, for all HTTP methods.

Support for CORS in Enterprise Tester was introduced in version 4.4 and above, and currently supports:

  • CORS without authentication (will use session authentication however, if user is already authenticated with the Enterprise Tester server in the same browser session).
  • CORS with authentication (Enterprise Tester will handle both pre-flighted and immediate requests, by returning the "Access-Control-Allow-Credentials" header - allowing the use of Basic Authentication).

Because a web browser and it's scripts are inherently insecure to the operator (the user operating the browser can see the javascript/html in raw form easily) - when using CORS with Basic Auth we strongly advise against storing the ET login and password credentials in javascript, and instead they should be retrieved from the user interactively and not stored.

And as always, when using basic Auth, we recommend you access Enterprise Tester via HTTPS (SSL).

Examples of using CORS with Enterprise Tester can be found in the CORS Examples section of our API Github Repository.

  • No labels