Enterprise Administration > File Vaulting and Replication > File Vaulting > Working with External File Vaults > Configuring Windchill to Allow Cross-Origin Resource Sharing (CORS) Requests
  
Configuring Windchill to Allow Cross-Origin Resource Sharing (CORS) Requests
For security reasons, browsers restrict cross-origin http requests initiated from third party websites. PTC recommends that you enable cross-origin requests in Windchill server to allow download requests from third party websites. Using Tomcat CORS filters, you can enable both upload and download requests in Windchill.
If your Windchill server is already configured for CORS filters, then you need to merge the existing configuration with the configuration explained below. CORS filters should be re-configured post Windchill update and upgrade.
Site administrators should configure CORS filters to allow cross-origin http requests using the following procedure. This configuration is applicable to Windchill master and file server sites.
1. Navigate to <Windchill_Home>\codebase\WEB-INF\web.xml.
2. Update web.xml file with the following ContentCorsFilter and ContentHttpHeaderSecurityFilter along with Mapping configurations:
<filter>
<filter-name>ContentCorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>[ALLOWED_ORIGINS]</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With</param-value>
</init-param>
</filter>
<filter>
<filter-name>ContentHttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>[ALLOWED_ORIGINS]</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ContentCorsFilter</filter-name>
<url-pattern>/servlet/WindchillAuthGW/wt.content.ContentHttp/viewContent/*</url-pattern>
<url-pattern>/servlet/WindchillAuthGW/wt.fv.master.StandardMasterService/doDirectDownload/*</url-pattern>
<url-pattern>/servlet/WindchillAuthGW/wt.fv.replica.StandardReplicaService/doDownload/*</url-pattern>
<url-pattern>/servlet/WindchillAuthGW/wt.fv.replica.StandardReplicaService/doIndirectDownload/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ContentHttpHeaderSecurityFilter</filter-name>
<url-pattern>/servlet/WindchillAuthGW/wt.content.ContentHttp/viewContent/*</url-pattern>
<url-pattern>/servlet/WindchillAuthGW/wt.fv.master.StandardMasterService/doDirectDownload/*</url-pattern>
<url-pattern>/servlet/WindchillAuthGW/wt.fv.replica.StandardReplicaService/doDownload/*</url-pattern>
<url-pattern>/servlet/WindchillAuthGW/wt.fv.replica.StandardReplicaService/doIndirectDownload/*</url-pattern>
</filter-mapping>
* 
Update the cors.allowed.origin and antiClickJackingUri parameter with the desired web address(es) using comma separated list. Do not use asterisk (*) since cors.support.credentials is required to true.
3. Save the web.xml file.
4. Restart the Windchill server.