0

CORS and Allowed Origins

What is CORS?

"CORS" is short for "Cross-Origin Resource Sharing" and describes a principle by which a server can indicate from which origins its resources can be loaded. This is a data security mechanism in place to prevent malicious access to server infrastructure.

For additional information please refer to the MDN documentation on CORS

CORS in Ninox

Starting with version 3.18.11 we have adjusted the CORS headers to make resource sharing more secure.

The Allowed Origins setting

Private Clouds running version 3.18.11 or newer now feature a new setting in the Integrations section of the Ninox Settings, the Allowed Origins. It functions as a whitelist, allowing domains that are entered here to perform browser-based API calls to its endpoints. If several domains need to be entered here, they can be separated via comma. The full protocol must be entered, e. g. https://mydomain.com.

Examples

External to Private Cloud

A homepage has been built in a service such as Wix, Wordpress, etc. From this page example.storefront.com, an API call is sent from the browser (e. g. via JavaScript) to the Private Cloud example.ninoxdb.com to retrieve information on the status of orders.

Public Cloud or Private Cloud to other Private Cloud

In a Public Cloud (app.ninox.com) workspace and in the Private Cloud mydomain.ninoxdb.com each exist a database that contains a script which uses http() to call to the Private Cloud example.ninoxdb.com to fetch information from one of its endpoints.

  • This execution of http() will fail unless either of these apply:
    • The domain app.ninox.com or mydomain.ninoxdb.com respectively has been entered into the Allowed Origins input in the Integrations menu of the example.ninoxdb.com Private Cloud.
    • The execution of http() is done in a "do as server ... end" bracket because then the script is executed from the Ninox server host and not from the browser client.

Reply

null
Login to reply