Metadata API Developer’s Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
PDF

Newer Version Available

This content describes an older version of this product. View Latest

CorsWhitelistOrigin

Represents an origin in the CORS whitelist.

File Suffix and Directory Location

CorsWhitelistOrigin components have the suffix .corswhitelistorigin and are stored in the corswhitelistorigins folder.

Version

CorsWhitelistOrigin components are available in API version 32.0 and later.

Fields

Field Name Field Type Description
developerName String A unique name for the entry.
urlPattern String A URL pattern for the origin.

The origin URL pattern must include the HTTPS protocol and a domain name, and may include a port. The wildcard character (*) is supported and must be in front of a second-level domain name. For example, https://*.example.com adds all subdomains of example.com to the whitelist.

The origin URL pattern can be an IP address. However, an IP address and a domain that resolve to the same address are not the same origin and you must add them to the CORS whitelist as separate entries.

Declarative Metadata Sample Definition

The following is an example package manifest used to deploy or retrieve the CorsWhitelistOrigin metadata for an organization.

1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>*</members>
5        <name>CorsWhitelistOrigin</name>
6    </types>
7    <version>32.0</version>
8</Package>

The following is an example of a CorsWhitelistOrigin component.

1<?xml version="1.0" encoding="UTF-8"?>
2<CorsWhitelistOrigin xmlns="http://soap.sforce.com/2006/04/metadata">
3    <developerName>CorsWhitelistEntry1</developerName>
4    <urlPattern>https://*.example.com</urlPattern>
5</CorsWhitelistOrigin>

Usage

CORS (cross-origin resource sharing) is a W3C recommendation that enables Web browsers to request resources from origins other than their own. For example, using CORS, a JavaScript script at https://www.example.com could request a resource from https://www.salesforce.com.

If a browser that supports CORS makes a request to an origin in the Salesforce CORS whitelist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header, along with any additional CORS HTTP headers. If the origin is not whitelisted, Salesforce returns HTTP status code 404.