By default, most browsers are configured to deny cross-origin HTTP requests. A cross-origin request is an HTTP request that originates from a domain that is different from the native domain of the host.
Cross-Origin Resource Sharing (CORS) uses HTTP headers to allow access to certain resources from a server whose origin (domain) is different from than the one hosting the page or script currently in use. Cross-origin HTTP requests can include requests from a different domain, protocol, or port than the one from which the current document is hosted.
For example, if an HTML page served from http://my-domain.com makes an <img> src request for http://your-domain.com/image.jpg, this request is cross-origin and will be blocked. It is a common implementation for resources such as stylesheets, images, and scripts to reside on dedicated resource domains, such as content delivery networks (CDNs), that are shared by sites on multiple other domains.
CORS provides a way to allow secure cross-domain requests and data transfers between browsers and web servers.
Application Server Configuration
CORS configuration on the server can be found in the SmartPlant Foundation Server web.config file in the intergraph.webApi section.
The allowedOrigins field should contain all domains that are allowed to access the Server API, for example "http://my.domain.1, https://my.domain.2". Notice that domains should include the transport protocol (http/https) and multiple domains can be separated by a comma.
<oauth issuer="https://[HOST]/[CFG_SERVICE]/SPFAuthentication/oauth" requiredScopes="ingr.api" />
<cors allowedOrigins="[LIST_OF_ACCESSING_DOMAINS]" allowedMethods="*" allowedHeaders="*" exposedHeaders="" allowCredentials="true" preflightMaxAge="600" />
<service prefix="api" id="EE9C5479-A52E-4D11-80AE-BFDDCE9A603F" secret="" instance="" />