Use CORS to Access Apex REST Classes

CORS (cross-origin resource sharing) is a W3C recommendation that enables web browsers to request resources from origins other than their own (cross-origin requests). For example, using CORS, a JavaScript script at https://www.example.com can request a resource from https://www.salesforce.com. Apex REST now supports CORS.

To access Apex REST classes from JavaScript in a web browser, add the origin that’s serving the script to the CORS whitelist. To add an origin to the CORS whitelist, from Setup, enter CORS in the Quick Find box, then select CORS. Click New, and then enter an origin URL pattern.

The origin URL pattern must include HTTPS (unless you’re using your localhost) and a domain name and can optionally include a port. The wildcard character (*) is supported and must precede a second-level domain name. For example, https://*.example.com adds all subdomains of example.com to the whitelist.

If a browser that supports CORS makes a request from an origin in the Salesforce CORS whitelist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header. Salesforce also returns any additional CORS HTTP headers. If the origin isn’t in the whitelist, Salesforce returns HTTP status code 403.

You must still pass an OAuth token with requests that require it.