The Cross-Origin Resource Sharing (CORS) feature regulates client-side cross-origin requests by providing policy statements to the client on demand and by checking requests for compliance with the policy. This feature is enabled by default.

Policies include the set of HTTP methods that can be accepted, where requests can originate, and which content types are valid. These vary according to the request URL, and can be reconfigured as needed by adding entries to

An ellipsis after a property name indicates that the property can accept a list.

Table 1. CORS Properties
Property Value Type Master Default Other Defaults
enableCORS true


true n/a
acceptContentType... http-content-type application/x-www-form-urlencoded,application/xml,text/xml
  • admin=application/x-amf
  • helpdesk=application/json,application/text,application/x-www-form-urlencoded
  • view-vlsi-rest=application/json
acceptHeader... http-header-name * n/a
exposeHeader... http-header-name * n/a
filterHeaders true


true n/a
checkOrigin true


true n/a
allowCredentials true


false admin=true









allowMethod... http-method-name GET,HEAD,POST misc=GET,HEAD


allowPreflight true


true n/a
maxAge cache-time 0 n/a
balancedHost load-balancer-name OFF n/a
portalHost... gateway-name OFF n/a
chromeExtension... chrome-extension-hash OFF n/a

Example CORS properties in the file:

enableCORS = true
allowPreflight = true
checkOrigin = true
checkOrigin-misc = false
allowMethod.1 = GET
allowMethod.2 = HEAD
allowMethod.3 = POST
allowMethod-saml.1 = GET
allowMethod-saml.2 = HEAD
acceptContentType.1 = application/x-www-form-urlencoded
acceptContentType.2 = application/xml
acceptContentType.3 = text/xml

Origin Checking

Origin checking is enabled by default. When it is enabled, a request will be accepted only without an Origin, or with an Origin equal to the address given in the External URL, to the balancedHost address, to any portalHost address, to any chromeExtension hash, to null, or to localhost. If Origin is not one of these possibilities, then an error "Unexpected Origin" is logged and a status of 404 is returned.

If multiple Connection Servers or security servers are load balanced, you must specify the load balancer address by adding a balancedHost entry to Port 443 is assumed for this address.

If clients need to connect through a Unified Access Gateway or another gateway, you must specify all of the gateway addresses by adding portalHost entries to Port 443 is assumed for these addresses too. Do the same if you want to provide access to a Connection Server or security server by a name that is different from the one that is specified in the External URL.

Chrome Extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to