Overview
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources.
CORS also relies on a mechanism by which browsers make a “preflight” request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such as XMLHttpRequest or Fetch to mitigate the risks of cross-origin HTTP requests.
Implementation
The following APIs (endpoints) contain strict CORS validation:
- /getformcodes
- /formbyuuid
- /submitformdata
- /submitformcookie
When creating a new workflow within Instnt Accept's dashboard UI, enter specific domains to ensure restricted access to the workflow, as leaving the field blank allows for unrestricted access.
The Trusted Domains setting is located within the Security page with the default value for each workflow being set at "*", meaning that the workflow has no restricted access whatsoever.
However, if the workflow being created is only meant for a specific website, i.e. instnt.org, then the only value set within Trusted Domains should be instnt.org.
If the workflow being created is also accessible from other subdomains of the parent domain, in either a development or stage environment, then the following are possible listed values of the Trusted Domains:
- instnt.org
- dev.instnt.org
- stage.instnt.org
- sandbox.instnt.org
- etc.
When set up in this manner, the Trusted Domain workflow fields must not contain the default asterisk and any attempts to use the workflow created from a different domain, such as myinstnt.org, are blocked.