This is documentation about a configuration directive, which can be placed within Movable Type’s core configuration file,
mt-config.cgi, to customize the behavior of the system.
DataAPICORSAllowOrigin is a Movable Type configuration directive that lets you control which origin servers can send REST queries to the Data API for processing.
By default, Data API requests are only accepted from the server on which the Data API is running.
In order to permit requests from other servers to be accepted, the DataAPICORSAllowOrigin configuration directive must be set.
If REST queries should be accepted from all servers, the configuration directive should be set as follows:
Note that this is an extremely permissive security policy, and may result in unauthorized and possibly malicious attempts to interact with the Data API.
More restrictive policies may be set by listing origin servers in a comma-delimited list:
DataAPICORSAllowOrigin http://www.example.com/, http://news.example.com/, http://api.example.com/
If Microsoft Internet Explorer 8 or 9’s XDomainRequest are used to retrieve data from an external site, both the Access-Control-Allow-Origin header and the XDomainRequestAllowed header must be returned in the response. If Movable Type returns the Access-Control-Allow-Origin header, the XDomainRequestAllowed header will always be returned with a value of 1.
Origin consists of three elements, scheme, host name, and port, and should be written according to the examples shown below.
Origins must have a scheme of “http://” or “https://” in order to be successfully processed. The default port number is 80 for HTTP and 443 for HTTPS.
Note that the tree origins shown above are all different from each other. In order for two origins to be considered the same, the scheme, host name, and port must match.
DataAPICORSAllowOrigin http://www.example.com/, https://api.example.com/
Technically, DataAPICORSAllowOrigin does not have a default value. But, as stated above, the default behavior is to not permit requests with a different origin than the server on which the Data API is running.