Example CORS JSON configuration

Here is example content for cors-rules.json.

This sample JSON file content illustrates these important points:

Rules precedence Rules are evaluated in the order they appear in the file and evaluation stops once a match is found. In this example, the first two rules both apply to the origins http://this.example.com and http://that.example.com. The first allows read-only access ("GET") to resources that match /api/data/documents. The second allows read-write access to other resources that match /api/data. Since /api/data/documents is more specific than /api/data, it MUST come first. If the order of the two rules is reversed, the CORS filter ignores the /api/data/documents rule because requests for /api/data/documents match /api/data.
Credentials The first two rules allow credentials ("allowCredentials": true), but the third rule does not. Since the Domino Access Services (DAS) freebusy API is meant to allow anonymous requests, there is no need to accept credentials for requests matching /api/freebusy.
Default behavior Cross-origin requests are disabled when no matching rule is found for a resource. There is no rule for resources matching /api/calendar. Therefore the following configuration disables cross-origin requests for the DAS calendar API. The default is always to disable cross-origin requests.

{
  "version": "1.0",
  "rules": [
    {
      "resource": {
        "path": "/api/data/documents"
      },
      "allowOrigins": [ "http://this.example.com", "http://that.example.com" ],
      "allowMethods": [ "GET" ],
      "allowCredentials": true
    },
    {
      "resource": {
        "path": "/api/data"
      },
      "allowOrigins": [ "http://this.example.com", "http://that.example.com" ],
      "allowMethods": [ "GET", "POST", "PUT", "DELETE" ],
      "allowCredentials": true,
    },
    {
      "resource": {
        "path": "/api/freebusy"
      },
      "allowOrigins": [ "http://this.example.com" ],
      "allowMethods": [ "GET" ]
    }
  ]
}