Version 2.5 of the ArcGIS API for JavaScript introduced support for cross-origin resource sharing (CORS). CORS allows web applications to bypass a browser’s same origin policy and access resources or services on other servers/domains. CORS is supported in modern, non-IE browsers and is usually classified as a component of HTML5.
When both the web server and browser support CORS, a proxy is not required to do cross-domain requests to get around that same origin policy. CORS both simplifies application development and provides a performance boost. Development is simplified because it is no longer necessary to maintain a proxy page on your server. The performance boost comes from no longer using a proxy page. Instead of a web app sending a request back to its server, waiting for the server to access another resource or service, and then interpreting the result, the app just accesses the resource or service directly. Eliminating the server as a middleman makes apps faster and frees up resources on the app’s server.
To use CORS from an ArcGIS API for JavaScript application, add the root URL for CORS enabled servers to esri.config.defaults.io.corsEnabledServers, which is an array of strings. As stated previously, web servers must be pre-configured to support CORS. This is a straightforward, simple process and enable-cors.org has walkthroughs on how to enable CORS for popular web servers.
While additional server side configuration is required to use CORS with a 9.3 or 10.0 ArcGIS Server instance, 10.1 instances of ArcGIS Server will support CORS out of the box.
Within the ArcGIS API for JavaScript, the main use cases for CORS are sending large geometries to a geometry service and doing various editing operations. Both are done with HTTP POSTs, and would otherwise require a proxy page if the ArcGIS Server services being used were not hosted on the same domain as the requesting application.
To test CORS with the ArcGIS API for JavaScript, check out the sample CORS apps in the ArcGIS API for JavaScript documentation. If you’re using a browser that supports CORS, you will see cross-domain POST requests when monitoring your HTTP traffic using Firebug, Chrome Dev Tools or some other tool. If you hit the apps with Internet Explorer, you’ll see that a proxy is still used. You can also experiment with the ArcGIS Server services running on servicesbeta.esri.com as that server has been configured to support CORS. Enjoy!
Contributed by Derek Swingley of the ArcGIS API for JavaScript development team
About the author
Commenting is not enabled for this article.