§Cross-Origin Resource Sharing
Play provides a filter that implements Cross-Origin Resource Sharing (CORS).
CORS is a protocol that allows web applications to make requests from the browser across different domains. A full specification can be found here.
§Enabling the CORS filter
To enable the CORS filter, add
play.filters.enabled += "play.filters.cors.CORSFilter"
§Configuring the CORS filter
The filter can be configured from
application.conf. For a full listing of configuration options, see the Play filters
The available options include:
play.filters.cors.pathPrefixes- filter paths by a whitelist of path prefixes
play.filters.cors.allowedOrigins- allow only requests with origins from a whitelist (by default all origins are allowed). “null” is treated as a valid origin, and can be whitelisted in allowedOrigins to allow origins with non-hierarchical schemes like
data: by sending Access-Control-Allow-Origin: null. Be aware that this is discouraged by the W3C as it can also grant hostile documents access to the response.
play.filters.cors.allowedHttpMethods- allow only HTTP methods from a whitelist for preflight requests (by default all methods are allowed)
play.filters.cors.allowedHttpHeaders- allow only HTTP headers from a whitelist for preflight requests (by default all headers are allowed)
play.filters.cors.exposedHeaders- set custom HTTP headers to be exposed in the response (by default no headers are exposed)
play.filters.cors.supportsCredentials- disable/enable support for credentials (by default credentials support is enabled)
play.filters.cors.preflightMaxAge- set how long the results of a preflight request can be cached in a preflight result cache (by default 1 hour)
play.filters.cors.serveForbiddenOrigins- enable/disable serving requests with origins not in whitelist as non-CORS requests (by default they are forbidden)
pathPrefixes = ["/some/path", ...]
allowedOrigins = ["http://www.example.com", ...]
allowedHttpMethods = ["GET", "POST"]
allowedHttpHeaders = ["Accept"]
preflightMaxAge = 3 days
Next: Configuring CSP
Found an error in this documentation? The source code for this page can be found here. After reading the documentation guidelines, please feel free to contribute a pull request. Have questions or advice to share? Go to our community forums to start a conversation with the community.