Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows servers to specify any origins (domains, schemes, or ports) other than its own from which a browser should permit loading resources.
CORS also relies on a mechanism by which browsers make a “preflight” request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such as XMLHttpRequest or Fetch to mitigate the risks of cross-origin HTTP requests.
Implementation
Strict CORS validation is enforced for the following APIs (endpoints):
- /getformcodes
- /formbyuuid
- /submitformdata
- /submitformcookie
When creating a new workflow in Instnt Accept's dashboard UI, it is important to specify specific domains to ensure restricted access. Leaving the field blank would grant unrestricted access to the workflow.
The Trusted Domains setting can be found in the Security page. By default, each workflow has its value set to "*", indicating that the workflow has no access restrictions.
However, if the workflow is intended for a specific website, such as instnt.org, the only value that should be entered in the Trusted Domains field is "instnt.org".
In cases where the workflow needs to be accessible from other subdomains of the parent domain, whether in a development or stage environment, the following values are valid for the Trusted Domains field:
- instnt.org
- dev.instnt.org
- stage.instnt.org
- sandbox.instnt.org
It is important to note that when configuring the workflow in this manner, the Trusted Domain workflow fields must not include the default asterisk. Any attempts to use the workflow from a different domain, such as myinstnt.org, will be blocked.