Skip to main content

CORS Configuration for PoolParty

Abstract

CORS Configuration for PoolParty

For security reasons, browsers do not trust JavaScript downloaded from arbitrary third-party websites. CORS (Cross-Origin Resource Sharing) is a way for PoolParty to tell the user's browser that certain websites (or "origins") are trustworthy, and the JavaScript applications they host are allowed to issue requests to PoolParty. 

Note

JavaScript served by the PoolParty server is considered as being of the same origin when accessing PoolParty, and as such it is not blocked nor managed by the CORS rules.

CORS settings are only relevant for requests with an Origin request header. This header is typically added and managed by the browser. Requests issued by API tools such as Postman or cURL normally do not contain any origin request header.

The PoolParty Thesaurus Manager Server, Entity Extractor and GraphSearch come with the CORS mechanism enabled by default but with an empty list of allowed origins. To use CORS, you must declare allowed origins. An origin consists of a protocol (http or https), domain name and optionally a port.

Procedure. Declare allowed origins
  1. Open the CORS configuration file (cors-config-thesaurus.xml, cors-config-extractor.xml or cors-config-graphsearch.xml) for the PoolParty component that should allow cross-origin requests.

    You can find the file in these paths respectively:

    • Linux: /opt/poolparty/config/

    • Windows: C:\Users\Public\PoolParty\config\

  2. If you do not need to send the PoolParty credentials along with cross-origin requests, set the value of the allowCredentials property to false:

    <beans:property name="allowCredentials" value="false"/>
  3. If you want to whitelist one origin only, use the allowedOrigins property to declare that origin. For example:

    <beans:property name="allowedOrigins" value="https://www.trusted.com"/>

    Caution

    Declaring localhost as an allowed origin poses a security risk, as it may allow for various exploits, including any service running on the user's machine potentially sending requests to the PoolParty server.

  4. If you want to whitelist multiple origins, create a <beans:list> with separate value elements for each origin. For example:

    <beans:property name="allowedOrigins">
        <beans:list>
            <beans:value>https://www.trusted1.com</beans:value>
            <beans:value>http://www.trusted1.com:8081</beans:value>
            <beans:value>https://www.trusted2.com</beans:value>
        </beans:list>
    </beans:property>

    Caution

    We do not recommend whitelisting all origins (setting the value of the allowedOrigins property to *). If you whitelist all origins and do not set the value of the allowCredentials property to false (step 2), credentials from active user sessions will be sent along when JavaScript from any website executes a call to the PoolParty server.

  5. Restart the PoolParty server for the changes to take effect.