Twitter: raymondcamden

Address: Lafayette, LA, USA

Enable CORS for ColdFusion Services

10-17-2012 6,114 views JavaScript, ColdFusion 9 Comments

Just a quick tip. CORS is a way to allow remote JavaScript clients to use your fancy APIs. Only the best APIs support it now, but usage is growing. For a good introduction to the topic, see Brian Rinaldi's excellent blog post here: Getting HTML5 Ready - CORS. Enabling CORS may be done at the web server level, but if you don't have access to that, or if you want to specifically provide access to one particular CFC file (or method), here is how you can do it.

I've got a CFC with 2 simple methods. Don't worry about what they do - they are just samples. To allow for CORS, you can add one simple header to your code. Unfortunately, you can't do cfheader in script-based CFCs. Therefore I made a new file, head.cfm, with one line:

Obviously if you use tag-based CFCs this won't be a problem. Also note you can move that include (or the tag) into a method to enable CORS only for some methods and not others.

Hope this helps!


  • Commented on 10-19-2012 at 12:42 AM
    Hello Ray,

    Thanks for the tip! FYI, you can set headers in cfscript by using GetPageContext() function as follows:

  • Commented on 10-19-2012 at 6:08 AM
    I was going to give a snippy response about using CF internals, then my coffee kicked in and saw you were using the documented getPageContext. Good call there. :)
  • Commented on 10-19-2012 at 8:08 AM
    LOL, I know the feeling Ray and I was hoping you wouldn't take it the wrong way, thank god for good coffee. It is a shame those functions are not well documented though, thank god they made cfdump so good! A little bit of curiosity goes far sometimes.
  • Commented on 10-19-2012 at 8:18 AM
    To be fair, anything under GetPageContext would be documented in the J2EE docs. Knowing that though is another matter.

    Actually - just checked the docs - and they are pretty good. They even mention that the methods are "mandated by the JSP specification" which is pretty clear, too!
  • Jade Cady #
    Commented on 10-19-2012 at 9:49 AM
    The Github project CFCommunity / CFScript-Community-Components helps bridge most of the missing script functions just as another alternative.
  • Ray Varner #
    Commented on 10-30-2012 at 12:16 PM
    I'll throw in a few CORS headers that may be overkill. Also, a couple of semi-related header goodies.

    <!--- CORS - Cross Origin Resource Sharing --->
    <cfheader name="Access-Control-Allow-Origin" value="*" />
    <cfheader name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE" />
    <cfheader name="Access-Control-Allow-Headers" value="Content-Type" />
    <cfheader name="Content-Type" value="application/JSON; charset=utf8" />

    <!--- Force cache to clear --->
    <cfset headerTime=GetHttpTimeString(now()) />
    <cfheader name="Cache-Control" value="must-revalidate" />
    <cfheader NAME="Pragma" value="no-cache" />
    <cfheader name="Expires" value="#headerTime#" />
    <cfheader NAME="Last-Modified" value="#headerTime#" />

    <!--- THWART Click-Jacking --->
    <cfheader name="X-FRAME-OPTIONS" value="DENY" />

    <!--- Force IE8 Compatibility mode --->
    <cfheader name="X-UA-Compatible" value="IE=EmulateIE8" />
  • Commented on 10-30-2012 at 12:18 PM
    Next time - Pastebin or Gist please. :)
  • Commented on 12-06-2012 at 2:31 PM
    @Jade (and others), if you're using Railo, header is native in cfscript:

    header name="Access-Control-Allow-Origin" value="*";

    so you can put it directly into your script-based CFC.

    Hopefully Adobe will add more tags to cfscript in CF11?
  • Commented on 12-06-2012 at 2:38 PM
    I hope so. It is one of the few left.

Post Reply

Please refrain from posting large blocks of code as a comment. Use Pastebin or Gists instead. Text wrapped in asterisks (*) will be bold and text wrapped in underscores (_) will be italicized.

Leave this field empty