CORS APEX Rest Services


As of the Summer '16 release CORS is available for Apex REST Classes. This is described in Use CORS to Access Salesforce Resources from Web Browsers.

These Salesforce technologies support CORS.

  • Analytics REST API
  • Bulk API
  • Chatter REST API
  • Salesforce IoT REST API
  • Lightning Out
  • User Interface API
  • Apex REST

In Salesforce, add the origin serving the code to a CORS whitelist. If a browser that supports CORS makes a request to an origin in the whitelist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header, along with any additional CORS HTTP headers. If the origin is not included in the whitelist, Salesforce returns HTTP status code 403.

  1. From Setup, enter CORS in the Quick Find box, then select CORS.
  2. Select New.
  3. Enter an origin URL pattern.
    The origin URL pattern must include the HTTPS protocol (unless you’re using your localhost) and a domain name and can include a port. The wildcard character (*) is supported and must be in front of a second-level domain name. For example, https://* adds all subdomains of to the whitelist.
    The origin URL pattern can be an IP address. However, an IP address and a domain that resolve to the same address are not the same origin, and you must add them to the CORS whitelist as separate entries.

Unfortunately at the moment CORS is still not available for custom REST endpoints. Spring '15 only made it available for the standard REST API.

This is mentioned (incredibly briefly) at the end of this Salesforce Developers Blog post.

Apex REST Methods are not accessible via CORS.

Fingers crossed they add it in a future release as this would solve some headaches in a couple of projects I'm working on.

Looks like Apex REST now supports CORS:

Apex REST now supports CORS.

To access Apex REST classes from JavaScript in a web browser, add the origin that’s serving the script to the CORS whitelist. To add an origin to the CORS whitelist, from Setup, enter CORS in the Quick Find box, then select CORS. Click New, and then enter an origin URL pattern.

EDIT: Included relevant passages.