Not a developer? Go to



This is documentation about a configuration directive, which can be placed within Movable Type’s core configuration file, mt-config.cgi, to customize the behavior of the system.

DataAPICORSAllowOrigin is a Movable Type configuration directive that lets you control which origin servers can send REST queries to the Data API for processing.

When retrieving data from external sites using JavaScript’s XMLHttpRequest Level 2 with a web browser or a client application, the returned header information is subject to a number of different Cross Origin Resource Sharing (CORS) security restrictions.

Default Configuration

By default, Data API requests are only accepted from the server on which the Data API is running.

In order to permit requests from other servers to be accepted, the DataAPICORSAllowOrigin configuration directive must be set.

To Service Requests from Any and All Originating Servers

If REST queries should be accepted from all servers, the configuration directive should be set as follows:

DataAPICORSAllowOrigin *

Note that this is an extremely permissive security policy, and may result in unauthorized and possibly malicious attempts to interact with the Data API. 

To Service Requests from Specifically-Identified Servers

More restrictive policies may be set by listing origin servers in a comma-delimited list:


If Microsoft Internet Explorer 8 or 9’s XDomainRequest are used to retrieve data from an external site, both the Access-Control-Allow-Origin header and the XDomainRequestAllowed header must be returned in the response.  If Movable Type returns the Access-Control-Allow-Origin header, the XDomainRequestAllowed header will always be returned with a value of 1.

Origin consists of three elements, scheme, host name, and port, and should be written according to the examples shown below.

Origins must have a scheme of “http://” or “https://” in order to be successfully processed.  The default port number is 80 for HTTP and 443 for HTTPS.


Note that the tree origins shown above are all different from each other.  In order for two origins to be considered the same, the scheme, host name, and port must match.



Default Value

Technically, DataAPICORSAllowOrigin does not have a default value.  But, as stated above, the default behavior is to not permit requests with a different origin than the server on which the Data API is running.