Enabling Cross-Origin Resource Sharing (CORS)

Web browsers cannot normally request resources from outside the domain where the resources are hosted. These Cross-Origin Resource Sharing (CORS) settings can be necessary if, for example, you have an application that uses the M-Files REST API to communicate with the vault.

Important: The use of CORS is a security relaxation. Before you continue, make sure that the risk is acceptable.

To enable CORS, add these registry keys and values to the Windows registry of the M-Files Web server:


Key	HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\`<version>`\Server\MFWA\Sites\`<site name or ID in Internet Information Services>`
Value name	EnableCrossOriginAccess
Value type	REG_MULTI_SZ
Value	A list of mappings that specify which origins have access to which vaults. On each row, specify the host name (DNS name) on the left side of the equals character. After the equals character, add the allowed origins separated with semi-colons. It is not recommended to use an asterisk (*) because it gives cross-origin access from all sites. Setting format for two vaults, hostnames separated by a line break: `<hostname 1>=<allowed origins separated with semicolons> <hostname 2>=<allowed origins separated with semicolons>` You can normally check the URL of the origin domains with your browser. For example, for SharePoint web apps, the format of the URL is https://`<domain identifier>`-`<instance identifier>`.sharepoint.com.
Example value	`https://sample-vault.cloudvault.m-files.com=https://mfiles-123asd.sharepoint.com;https://mfiles-098xcv.sharepoint.com https://aa-consulting.cloudvault.m-files.com=https://aa-consulting-123asd.sharepoint.com;https://aa-consulting-098xcv.sharepoint.com https://vaultXXX.cloudvault.m-files.com=https://mfiles-123asd.sharepoint.com`


Key	HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\`<version>`\Server\MFWA\Sites\`<site name or ID in Internet Information Services>`
Value name	AllowedCrossOriginHeaders
Value type	REG_SZ
Description	The headers to be allowed in the response.
Value	Origin,Content-Type,Accept,Access-Control-Allow-Origin,Cache-Control,X-Authentication,X-Requested-With,X-Vault,M-Files-Vault,m-files-session,m-files-extensions


Key	HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\`<version>`\Server\MFWA\Sites\`<site name or ID in Internet Information Services>`
Value name	AllowedCrossOriginMethods
Value type	REG_SZ
Description	The methods to be allowed in the response headers.
Value	PUT,POST,GET,OPTIONS