Enable CORS for ColdFusion Services

10-17-2012 2,713 views JavaScript, ColdFusion 9 Comments

Just a quick tip. CORS is a way to allow remote JavaScript clients to use your fancy APIs. Only the best APIs support it now, but usage is growing. For a good introduction to the topic, see Brian Rinaldi's excellent blog post here: Getting HTML5 Ready - CORS. Enabling CORS may be done at the web server level, but if you don't have access to that, or if you want to specifically provide access to one particular CFC file (or method), here is how you can do it.

I've got a CFC with 2 simple methods. Don't worry about what they do - they are just samples. To allow for CORS, you can add one simple header to your code. Unfortunately, you can't do cfheader in script-based CFCs. Therefore I made a new file, head.cfm, with one line:

Obviously if you use tag-based CFCs this won't be a problem. Also note you can move that include (or the tag) into a method to enable CORS only for some methods and not others.

Hope this helps!

9 Comments

Giancarlo Gomez #

Commented on 10-19-2012 at 12:42 AM
Hello Ray,

Thanks for the tip! FYI, you can set headers in cfscript by using GetPageContext() function as follows:

GetPageContext().getResponse().addHeader("Access-Control-Allow-Origin","*");

Raymond Camden #

Commented on 10-19-2012 at 6:08 AM
I _was_ going to give a snippy response about using CF internals, then my coffee kicked in and saw you were using the _documented_ getPageContext. Good call there. :)

Giancarlo Gomez #

Commented on 10-19-2012 at 8:08 AM
LOL, I know the feeling Ray and I was hoping you wouldn't take it the wrong way, thank god for good coffee. It is a shame those functions are not well documented though, thank god they made cfdump so good! A little bit of curiosity goes far sometimes.

Raymond Camden #

Commented on 10-19-2012 at 8:18 AM
To be fair, anything under GetPageContext would be documented in the J2EE docs. _Knowing_ that though is another matter.

Actually - just checked the docs - and they are pretty good. They even mention that the methods are "mandated by the JSP specification" which is pretty clear, too!

Jade Cady #

Commented on 10-19-2012 at 9:49 AM
The Github project CFCommunity / CFScript-Community-Components helps bridge most of the missing script functions just as another alternative.

Ray Varner #

Commented on 10-30-2012 at 12:16 PM
I'll throw in a few CORS headers that may be overkill. Also, a couple of semi-related header goodies.


<cfheader name="Access-Control-Allow-Origin" value="*" />
<cfheader name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE" />
<cfheader name="Access-Control-Allow-Headers" value="Content-Type" />
<cfheader name="Content-Type" value="application/JSON; charset=utf8" />


<cfset headerTime=GetHttpTimeString(now()) />
<cfheader name="Cache-Control" value="must-revalidate" />
<cfheader NAME="Pragma" value="no-cache" />
<cfheader name="Expires" value="#headerTime#" />
<cfheader NAME="Last-Modified" value="#headerTime#" />


<cfheader name="X-FRAME-OPTIONS" value="DENY" />


<cfheader name="X-UA-Compatible" value="IE=EmulateIE8" />

Raymond Camden #

Commented on 10-30-2012 at 12:18 PM
Next time - Pastebin or Gist please. :)

Sean Corfield #

Commented on 12-06-2012 at 2:31 PM
@Jade (and others), if you're using Railo, header is native in cfscript:

header name="Access-Control-Allow-Origin" value="*";

so you can put it directly into your script-based CFC.

Hopefully Adobe will add more tags to cfscript in CF11?