Accessing Apex REST from using CORS Settings

CORS (Cross-Origin Resource Sharing) support was added to the REST API in the Spring ’15 release. The same-origin policy restricts the browser to only making an XMLHttpRequest to the same host that served the page.  CORS allows pages to request resources from hosts other than the host that served them.

In this previous post, I described how JSONP could be used to access a public Site Apex REST method from a page. This post describes how that can be modified to be done with the new CORS security settings instead of JSONP.

The CORS settings are located in Setup > Security Controls > CORS.  Once on the CORS settings page, simply enter an URL pattern for the domain of the Site.  For example, in a developer edition pre-release it could be or in production the custom web address

The REST @HttpGet method is basically the same as it is for the JSON approach, but it no longer accepts a callback parameter and does not wrap the response in a callback, since JSONP is no longer needed.

The content block can remain basically the same as the JSON approach, but the dataType config property of specifying JSONP does not need to be set.

Once published, the page can be seen in action by navigating to the URL, e.g.,,, etc.  One drawback is that it does not work in the Studio editor, because the requesting URL is and not the published Site’s URL.

All code is available in this gist.

3 thoughts on “Accessing Apex REST from using CORS Settings

  1. Hii Peter,

    I found your article while I was searching for a way to take advantage of this new feature. What I am trying to do is to call my Rest api method (which is a public site) from my localhost app. However it looks it doesn’t work or I am missing something. I added my localhost address where my website is hosted to CORS list in my org but I never get Access-Control-Allow-Origin in the response. It works only if I manually add in the apex code:
    res.addHeader(‘Access-Control-Allow-Origin’, ‘http://localhost:30374’);

    which would be totally fine if I don’t need to use POST with application/json header in which case CORS causes browser first to fire “Options” request which then results in “method not allowed” error from Salesforce. Salesforce doesn’t support annotations like ‘@HttpOptions’

    Do you have any idea if my scenario is supposed to work at all or I am missing the limits of this new feature?

    Thank you!

  2. Here is the article that carries answer on my question:

    It explicitly says following:

    “here are a couple of limitations in the Spring ’15 CORS implementation:
    Apex REST Methods are not accessible via CORS.”

    Knowing that and failing to do what I wrote in my previous comment I actually doubt that this example in this post actually works in reality.

    Looks like this new feature in Spring 15 works on different domains only for built in Salesforce rest api.

Leave a Reply

Your email address will not be published. Required fields are marked *