User Interface API Developer Guide

Get Started with User Interface API
User Interface API Quick Start
User Interface API Sample Apps
Authentication, Versioning, Limits, ETag, and More
Response Body Encoding
Perform Cross-Origin Requests from Web Browsers
Status Codes and Error Responses
API End-of-Life
User Interface API Features
User Interface API Resources
User Interface API Request Bodies
User Interface API Response Bodies
Supported Objects
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Perform Cross-Origin Requests from Web Browsers

Cross-Origin Resource Sharing (CORS) enables web browsers to request resources from origins other than their own. For example, using CORS, JavaScript code at https://www.example.com could request a resource from https://www.salesforce.com. To access supported Salesforce APIs, Apex REST resources, and Lightning Out from JavaScript code in a web browser, add the origin serving the code to a Salesforce CORS allowlist.
Available in: Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Developer, Enterprise, Performance, and Unlimited Editions
Available with API access enabled in: Professional Edition

User Permissions Needed
To create, read, update, and delete: Modify All Data
These Salesforce technologies support CORS.
  • Analytics REST API
  • Bulk API
  • Bulk API 2.0
  • Connect REST API
  • Salesforce IoT REST API
  • Lightning Out
  • REST API
  • User Interface API
  • Apex REST

In Salesforce, add the origin serving the code to a CORS allowlist. If a browser that supports CORS makes a request to an origin in the allowlist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header along with any additional CORS HTTP headers. If the origin isn’t included in the allowlist, Salesforce returns HTTP status code 403.

  1. From Setup, enter CORS in the Quick Find box, then select CORS.
  2. Select New.
  3. Enter an origin URL pattern.
    The origin URL pattern must include the HTTPS protocol (unless you’re using your localhost) and a domain name. It can also include a port. The wildcard character (*) is supported and must be in front of a second-level domain name. For example, https://*.example.com adds all subdomains of example.com to the allowlist.
    The origin URL pattern can be an IP address. However, an IP address and a domain that resolve to the same address aren’t the same origin, and you must add them to the CORS allowlist as separate entries.
    The origin URL pattern might not match the URL that appears in your browser's address bar. Make sure that you’re allowing the origin in the request header.

You can get a successful response when requesting any REST resource in a CORS preflight test, but an unsuccessful response to the actual request. This is possible if the resource is deleted after the preflight test and before the request is made. It’s also possible if the resource doesn’t exist. A CORS preflight confirms if resources can be passed between servers, but doesn’t check if a specific resource exists or not. CORS preflight requests are typically issued automatically by a browser.

To access certain OAuth endpoints with CORS, other requirements apply. See Enable CORS for OAuth Endpoints.

Note