Enable CORS for an Organization

In GoodData, you can enable cross-origin resource sharing (CORS) in an organization to get around the same-origin policy browser restrictions. With CORS enabled, you can make GoodData resources, which are hosted on one domain, accessible to you from any other domain.

Note

Only users with permission to manage organizations can manage Cross-origin resource sharing.

User interface

API (Bash)

You can add multiple domains as allowed origins directly through the user interface in the Developer settings section:

On the homepage, go to Developer settings.
In the Cross-origin resource sharing (CORS) section, click Manage.
The list of allowed origins opens.
Click + Add and type the URL or use wildcards for subdomains (e.g., https://*.domain.com).
Click Add and click Close.

To edit a domain in the allowed origins list, open the list of allowed origins and click the domain name to edit it.

To remove any domain from the allowed origins list, click the bin icon on the right.

To set allowed origins for an organization use the /api/v1/entities/admin/organizations/default API endpoint:

curl -v -X PATCH -H 'Content-type: application/vnd.gooddata.api+json' \
    -H "Authorization: Bearer <token>" \
    -d @organization.json $HOST_URL/api/v1/entities/admin/organizations/default

where organization.json contains

{
    "data": {
        "attributes": {
            "allowedOrigins": [
                "https://some.domain.com",
                "http://another.domain.com",
                "https://*.domain.com",
                "http://*.some.domain.com"
            ]
        },
        "id": "default",
        "type": "organization"
    }
}

Using Wildcards

GoodData also supports the use of wildcards in CORS settings, allowing for more flexible domain management.

Exact Origin: For an exact origin like scheme://host[:port], CORS will return the Access-Control-Allow-Origin header exactly as specified.
Subdomain Wildcard: For a pattern like scheme://*.domain[:port], CORS will match and allow any subdomain of the specified domain.
Permit-All Wildcard: The * wildcard can be used on its own to allow all domains. However, this is not recommended due to browser-side restrictions. It will return Access-Control-Allow-Origin: *, but in most cases, it may not function as expected.

Create an API Access Token

Enable CSP