User Interface API Developer Guide
jNewer Version Available
Use CORS to Access Salesforce Resources from Web Browsers
Cross-Origin Resource Sharing (CORS) enables web browsers to request
resources from origins other than their own (cross-origin). For example, using CORS, JavaScript
code at https://www.example.com could request a resource from
https://www.salesforce.com. To access supported Salesforce APIs, Apex REST
resources, and Lightning Out from JavaScript code in a web browser, add the origin serving the
code to a Salesforce CORS whitelist.
| Available in: Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: Developer, Enterprise, Performance, and Unlimited |
| User Permissions Needed | |
|---|---|
| To create, read, update, and delete: | Modify All Data |
These Salesforce technologies support CORS.
- Analytics REST API
- Bulk API
- Chatter REST API
- Salesforce IoT REST API
- Lightning Out
- REST API
- User Interface API
- Apex REST
In Salesforce, add the origin serving the code to a CORS whitelist. If a browser that supports CORS makes a request to an origin in the whitelist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header, along with any additional CORS HTTP headers. If the origin is not included in the whitelist, Salesforce returns HTTP status code 403.
- From Setup, enter CORS in the Quick Find box, then select CORS.
- Select New.
-
Enter an origin URL pattern.
The origin URL pattern must include the HTTPS protocol (unless you’re using your localhost) and a domain name and can include a port. The wildcard character (*) is supported and must be in front of a second-level domain name. For example, https://*.example.com adds all subdomains of example.com to the whitelist.The origin URL pattern can be an IP address. However, an IP address and a domain that resolve to the same address are not the same origin, and you must add them to the CORS whitelist as separate entries.