Cross-Origin Resource Sharing support

Author: Mathijs Brand

Last updated: August 1, 2022


Your browser knows a trick to prevent hackers from accessing your api’s using your session: the same-origin policy. It makes sure your api's can't be accessed by malicious websites. Let's say you're logged in on and open another tab in your browser and access Your browser shares sessions between tabs, so without the same-origin policy, could access all the api's from your facebook account using your session. Thank you same-origin policy for not letting post all kinds of weird things on my facebook timeline.

Great, let's not trust any site other than our own and we're good to go. can do all communication with using secure protocols like SAML. Right?

Yes, that's right. But let’s say you want to use a client side javascript framework like Angular to build and want to access directly without going through server side code on How would you do that securely? SAML doesn't work securely because it relies on a trusted communication between and  Your javascript framework does not run on It runs in your browser on your customers laptop or so. If you'd allow communication between your customers laptop, you'd also allow to access the api.

W3C created a way to separate the good from the bad by adding the CORS protocol. It allows you to specify which origin web server to trust and which you don't. A script may run on your customers laptop, but your browser knows its origin is and not trusts the browser's origin header. 

CORS basic example:

You run your Angular site on and your MSP secured api’s are running on Now, tells the server its origin with the Origin header, and the server can then specify it accepts by setting the Access-Control-Allow-Origin header as depicted in the image below: 




In the image above you see an HTTP Get request, you could do the same for a POST or HEAD request. 


CORS preflight example:

In some cases (e.g. if a request has implications on user data)  a simple request may be insufficient. For that reason most modern browsers add a step by checking if the browser (user) is allowed to perform an action. An OPTIONS request is then followed by the actual request.

CORS Preflight.png


Configure CORS in your token server

Ideally you don't open up all api's to, just the ones you need. In the Token server we made this easy for you. You configure the url's and the sites as follows:

Configure CORS.png


Can you change the origin header?

By default the MSP platform does not allow any access other than same-origin. As explained, you can configure your MSP platform to trust a certain host. One way you could hack around it is if you would be able to set the origin header from to This way the server would trust you and you may be able to access But this is not easy to do as all modern browsers prevent you from changing the origin header. You'd need to hack the browser, but if you would be able to do so, you'd be able to access anything from the user, not only access  

Read more?

Special thanks to Marta Kobylinska for reviewing this blog post.