The Default CORS Policy Rule
Cross-Origin Resource Sharing (CORS) is an HTTP-header-based tool that's used to locate other origin servers that an end user's browser can use to get your content. CORS uses a "preflight check" mechanism: A request is made to the origin server where the cross-origin content is stored, to make sure the request is allowed. If it's allowed, the browser sends various headers that indicate the HTTP method and headers to be used in the actual request.
How it works
If you have CORS set up in your environment—via scripts in ths
XMLHttpRequest object on your site or app, or through some other mechanism—the Modify Outgoing Response Header behaviors in this rule are set up to modify various
Access-Control response headers, to indicate what's supported after the CORS preflight check. This effectively sets the HTTP method and headers that a browser can use in a CORS request.
Access-Control-Allow-Origin. This modifies this header value to "*" to get the header to acknowledge all origin servers. This way, this header won't inadvertently block access to an origin that may host your content.
Access-Control-Allow-Methods. This modifies this header to ensure that only the GET, POST, and OPTIONS methods are allowed in a request from the browser.
Access-Control-Allow-Headers. This header indicates which HTTP headers can be used during the request from a browser. This modifies this header so that only
hdntsrequest headers are supported. The
hdntsheaders are Akamai-specific headers used in the delivery of media content.
Access-Control-Expose-Headers. This header indicates which response headers should be available to a script running in the requesting browser. This modifies this header so that only the
Akamai-Request-BCheaders are supported. The
Akamai-Mon-Iucid-Delheaders are included to support Akamai client-side analytics.
Akamai-Request-BCallows for CORS support with the Breadcrumbs feature with AMD.
Access-Control-Allow-Credentials. This modifies this header to set it to
true. When a request requires credentials for content, a browser will only pass the preflight check if the Access-Control-Allow-Credentials value is
true. Credentials are cookies, authorization headers, or TLS client certificates. For example, with this value set to true, if your origin server requires credentials (a cookie) to access cross-origin content, and no cookie is present, the "credential check" fails. The response is then ignored by the browser and the content is not returned.
Access-Control-Max-Age. This header determines how long the results of a preflight check can be cached. This sets it to
86400seconds which equals 24 hours.
For best performance, leave this rule and all of its behaviors in the configuration. But, none of its settings are mandatory.
Support for Common Media Client Data (CMCD)
Do you want to support CMCD with your media player? If so, you may need to apply settings in this behavior to properly support it. Have a look at Common Media Client Data & AMD for full details.
Updated 11 months ago