:toc: macro
toc::[]

= CORS support

When you are developing Javascript client and server application separately, you have to deal with cross domain issues. We have to request from a origin domain distinct to target domain and browser does not allow this.

So , we need to prepare server side to accept request from other domains. We need to cover the following points:

* Accept request from other domains.

* Accept devonfw used headers like `X-CSRF-TOKEN` or `correlationId.`

* Be prepared to receive secured request (cookies).

It is important to note that if you are using security in your request (sending cookies) you have to set  `withCredentials` flag to `true` in your client side request and deal with special IE8 characteristics.

For more information about CORS see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[here]. Information about the CORS headers can be found https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#cors[here].

== Configuring CORS support

To enable CORS support for your application, see the advanced guides. For Spring applications see link:spring/guide-cors-spring.asciidoc[here]. For Quarkus follow the https://quarkus.io/guides/http-reference#cors-filter[official Quarkus guide].

== Configuration with service mesh

If you are using a service mesh, you can also define your CORS policy directly there. Here is an example from https://istio.io/latest/docs/reference/config/networking/virtual-service/#CorsPolicy[Istio].