The EntityService and CORS
How to deal with cross-origin reference sharing.
Browser security prevents a webpage from making AJAX requests to another domain. This restriction is called “the same-origin policy.” However, there are some situations where you need to let other sites call your web API.
Cross Origin Resource Sharing (CORS) is a W3C standard that allows a server to relax the same-origin policy. When you use CORS, a server can explicitly allow some cross-origin requests while rejecting others.
For more information, see Enabling Cross-Origin Requests in ASP.NET Web API.
The Sitecore.Services.Client Services package registers support for CORS in Sitecore.Services.Infrastructure.Web.Http.ServicesHttpConfiguration.ConfigureServices (the initialize pipeline invokes this):
config.EnableCors();
You enable CORS by adding the EnableCors attribute to a controller class and specifying the origins, headers, and methods parameters as needed.
For example, this controller has wildcard values for all of the resource restriction parameters:
[ServicesController][EnableCors(origins: "*", headers: "*", methods: "*")]public class TestController : EntityService<SimpleData>
In production environments, you must use a more restrictive definition of what can access resources.
There is no CORS support for the ItemService.
The Sitecore.Services.Infrastructure.Sitecore.Controllers.ItemServiceController is a sealed class so you cannot derive classes from it that specify the EnableCors attribute.