Instnt Cross-Origin Resource Sharing (CORS) Implementation

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows servers to specify which origins (domains, schemes, or ports) other than its own can load resources in a browser.

CORS relies on a mechanism in which browsers make a "preflight" request to the server hosting the cross-origin resource to ensure that the server permits the actual request. In this preflight request, the browser sends headers that specify the HTTP method and headers to be used in the actual request.

The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such as XMLHttpRequest or Fetch to mitigate the risks associated with cross-origin HTTP requests.

Implementation

Strict CORS validation is enforced for the following APIs (endpoints):

  • /getformcodes
  • /formbyuuid
  • /submitformdata
  • /submitformcookie

When creating a new workflow in Instnt Accept dashboard UI, it's essential to specify specific domains to restrict access. Leaving the field blank would grant unrestricted access to the workflow.

The Trusted Domains setting can be found in the Security page. By default, each workflow has its value set to "*", indicating that the workflow has no access restrictions.

Screen

However, if the workflow is intended for a specific website, such as instnt.org, the only value that should be entered in the Trusted Domains field is "instnt.org".

In cases where the workflow needs to be accessible from other subdomains of the parent domain, whether in a development or stage environment, the following values are valid for the Trusted Domains field:

  • instnt.org
  • dev.instnt.org
  • stage.instnt.org
  • sandbox.instnt.org

It is important to note that when configuring the workflow in this manner, the Trusted Domain workflow fields must not include the default asterisk. Any attempts to use the workflow from a different domain, such as myinstnt.org, will be blocked.