The EntityService and CORS


How to deal with cross-origin reference sharing.

Browser security prevents a webpage from making AJAX requests to another domain. This restriction is called “the same-origin policy.” However, there are some situations where you need to let other sites call your web API.

Cross Origin Resource Sharing (CORS) is a W3C standard that allows a server to relax the same-origin policy. When you use CORS, a server can explicitly allow some cross-origin requests while rejecting others.

For more information, see Enabling Cross-Origin Requests in ASP.NET Web API.

The Sitecore.Services.Client Services package registers support for CORS in Sitecore.Services.Infrastructure.Web.Http.ServicesHttpConfiguration.ConfigureServices (the initialize pipeline invokes this):


You enable CORS by adding the EnableCors attribute to a controller class and specifying the origins, headers, and methods parameters as needed.

For example, this controller has wildcard values for all of the resource restriction parameters:

[ServicesController][EnableCors(origins: "*", headers: "*", methods: "*")]public class TestController : EntityService<SimpleData>

In production environments, you must use a more restrictive definition of what can access resources.

There is no CORS support for the ItemService.

The Sitecore.Services.Infrastructure.Sitecore.Controllers.ItemServiceController is a sealed class so you cannot derive classes from it that specify the EnableCors attribute.