Logo Help Center

Elvis 5 API - cross origin

Elvis 5 API - cross origin

AJAX calls to Elvis Server are blocked by Web browsers if the Web page that is making the call is not on the same domain.

Example: If Elvis server is running on http://elvis.yourdomain.com and you want to perform a cross-domain REST search from a Web page hosted on http://www.yourdomain.com, the Web browser will not perform the request.

Note: The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. (See mozilla.org: Same-origin policy.)

Cross-domain solutions

There are several techniques you can use to work around the same-origin restrictions imposed by Web browsers. The following techniques are supported by Elvis Server.

CORS (Cross-Origin Resource Sharing)

CORS is a technology available in modern Web browsers. It depends on special headers and behavior provided by the Web server that receives the API calls.

The Elvis server supports this kind of behavior and will send the appropriate headers and responses to browsers. When needed, it will respond with an Access-Control-Allow-Origin header.

Restricting domains

To restrict the domains from which calls can be made to the Server, set the following option in the cluster-config.properties.txt file:

  • security.accessControlAllowOrigin. Used in Elvis 5.9 or higher. Default value: empty.
  • accessControlAllowOrigin. Used in Elvis 5.0 to 5.8, deprecated in Elvis 5.9. Default value: * in Elvis 5.0 to 5.6, empty in Elvis 5.7 and 5.8.

To add a specific domain, use a comma-separated list of possible values. These values should be lowercase and can contain * as a wildcard which will match any character except dots.



The last entry https://*.example.org will match any subdomain of example.org with the https protocol. However, it does not match https://example.org itself.

To enable cross-domain requests using jQuery, pass the following to the AJAX call:

   url: a_cross_domain_url,
   xhrFields: {
      withCredentials: true

For more information on CORS:


CORS only works in recent Web browser versions. If your application has to work in older Web browsers too, JSONP is a good alternative.

JSONP works by dynamically inserting <script> elements for each request made to the server. The server wraps the data in a function that is executed when that data is loaded by the Web browser. That function can then pass control to your code so you can use the received JSON data.

Libraries like jQuery have built-in support for JSONP. Simply set dataType='jsonp' in your jQuery.ajax call.

   url: a_cross_domain_url,
   dataType: 'jsonp'

jQuery then adds an extra ?callback=... to the end of your URL to specify the callback. This matches the standard callback parameter name supported by Elvis:

callback=<function name>

If required, you can use a different parameter name instead of the default, set the following in the cluster-config.properties.txt file:


For more information on JSONP:

Web Proxy

A Web proxy is the most simple way to deal with cross-domain issues. It is far from ideal because ofpossible performance issues, but it always works.

For more information on Web proxies:


In some scenarios, cross-domain calls make it difficult to keep authentication across requests.

Example: Session cookies received through a cross-domain request will be ignored by the Web browser.

URL Request secrets will allow images to be requested, even if the browser has no authenticated session with the server.

Adobe Flash crossdomain.xml

Cross-domain requests from a Flash SWF file to an Elvis Server installation on a different domain require a crossdomain.xml file to be placed at the root level of Elvis Server.

Because all content on the domain is usually served by Elvis (unless you use a proxy), we have provided a sample file named '-crossdomain.xml' in the Config folder of Elvis Server. To use it, rename the file to 'crossdomain.xml' and change its settings as required.

For more information:

Was this article helpful?
0 out of 0 found this helpful / Created: / Updated:
Have more questions? Submit a request


Please sign in to leave a comment.