Friday, December 2, 2016

Securing Cross-Site Requests to MCS APIs

When your Oracle Mobile Cloud Service APIs are being accessed by a remote server, it is important you manage cross-origin resource sharing (CORS) We ran into this issue when we were building the solution for the Oracle cloud day. The MCS APIs were accessed by a Web Application that was hosted on a different domain, not on our Oracle PaaS domain. When calling an API from the application, we received the error:

XMLHttpRequest cannot load: [request url]. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin [origin domain] is therefore not allowed access. The response had HTTP status 401.

You can either disallow CORS altogether, or whitelist specific sites.  This is done by setting a property in policies.properties: Security_AllowOrigin.

An example of the property can be seen below:

 *.*.Security_AllowOrigin=http://myapp.eproseed.com

This means that requests coming from myapp.eproseed.com from port 80 are allowed.

More information can be found in the Using Oracle Mobile Cloud Service, Part II: Setting up Mobile Apps, Chapter 5. This chapter explains in detail the pattern matching that is applicable.

To summarize:

1. Login to MCS
2. Click on "Administration"
3. Scroll to the bottom of the page
4. Download policies.properties
5. Edit or add the property
6. Upload policies.properties.

Administration page in MCS

The setting is applied instantly.