Enabling Cross-Origin Resource Sharing (CORS)

Web browsers cannot normally request resources from outside the domain where the resources are hosted. These Cross-Origin Resource Sharing (CORS) settings can be necessary if, for example, you have an application that uses the M-Files REST API to communicate with the vault.

Important: The use of CORS is a security relaxation. Before you continue, make sure that the risk is acceptable.

To enable CORS, add these registry keys and values to the Windows registry of the M-Files Web server:

Key HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\<version>\Server\MFWA\<site name or ID in Internet Information Services>
Value name EnableCrossOriginAccess
Value type REG_MULTI_SZ
Value <hostname>=<allowed origins>

A list of mappings that specify which origins have access to which vaults. On each row, specify the host name (DNS name) on the left side of the equals character. After the equals character, add the allowed origins separated with semi-colons. It is not recommended to use an asterisk (*) because it gives cross-origin access from all sites.

You can normally check the URL of the origin domains with your browser. For example, for SharePoint web apps, the format of the URL is https://<domain identifier>-<instance identifier>.sharepoint.com.

Example value
https://sample-vault.cloudvault.m-files.com=https://mfiles-123asd.sharepoint.com;https://mfiles-098xcv.sharepoint.com
https://aa-consulting.cloudvault.m-files.com=https://aa-consulting-123asd.sharepoint.com;https://aa-consulting-098xcv.sharepoint.com
https://vaultXXX.cloudvault.m-files.com=https://mfiles-123asd.sharepoint.com
Key HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\<version>\Server\MFWA\<site name or ID in Internet Information Services>
Value name AllowedCrossOriginHeaders
Value type REG_SZ
Description The headers to be allowed in the response.
Value Origin,X-Requested-With,Content-Type,Accept,M-Files-Vault,m-files-session,m-files-extensions
Key HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\<version>\Server\MFWA\<site name or ID in Internet Information Services>
Value name AllowedCrossOriginMethods
Value type REG_SZ
Description The methods to be allowed in the response headers.
Value PUT,POST,GET,OPTIONS