Logo Help Center

Elvis 6 API - cross origin

Elvis 6 API - cross origin

AJAX calls to Elvis Server are blocked by Web browsers if the Web page that is making the call is not on one of the configured domains. By default, only the server domain is allowed.

Example: If Elvis server is running on http://elvis.yourdomain.com and you want to perform a cross-domain REST search from a Web page hosted on http://www.yourdomain.com, the Web browser will not perform the request.

Note: The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. (See mozilla.org: Same-origin policy.)

Cross-domain solutions

There are several techniques you can use to work around the same-origin restrictions imposed by Web browsers. The following techniques are supported by Elvis Server.

CORS (Cross-Origin Resource Sharing)

CORS is a technology available in modern Web browsers. It depends on special headers and behavior provided by the Web server that receives the API calls.

The Elvis server supports this kind of behavior and will send the appropriate headers and responses to browsers. When needed, it will respond with an Access-Control-Allow-Origin header.

Restricting domains

To restrict the domains from which calls can be made to the Server, set the following option in the cluster-config.properties.txt file:

  • security.accessControlAllowOrigin. Default value: empty.

To add a specific domain, use a comma-separated list of possible values. These values should be lowercase and can contain * as a wildcard which will match any character except dots.



The last entry https://*.example.org will match any subdomain of example.org with the https protocol. However, it does not match https://example.org itself.

To enable cross-domain requests using jQuery, pass the following to the AJAX call:

   url: a_cross_domain_url,
   xhrFields: {
      withCredentials: true

For more information on CORS:


In some scenarios, cross-domain calls make it difficult to keep authentication across requests.

Example: Session cookies received through a cross-domain request will be ignored by the Web browser.

URL Request secrets will allow images to be requested, even if the browser has no authenticated session with the server.

Adobe Flash crossdomain.xml

Cross-domain requests from a Flash SWF file to an Elvis Server installation on a different domain require a crossdomain.xml file to be placed at the root level of Elvis Server.

Because all content on the domain is usually served by Elvis (unless you use a proxy), we have provided a sample file named '-crossdomain.xml' in the Config folder of Elvis Server. To use it, rename the file to 'crossdomain.xml' and change its settings as required.

For more information:

Was this article helpful?
0 out of 0 found this helpful / Created: / Updated:
Have more questions? Submit a request


Please sign in to leave a comment.