Skip to content

Resolving Cross-Origin Resource Sharing (CORS) issues when using SFMC CloudPages

On a recent project we needed to allow a site to post JSON content to a SFMC CloudPage.  The site in question was locked down with Cross-Origin Resource Sharing (CORS) headers to prevent cross-site attacks.

So how do we work around this?

In the CloudPage we start with a block of AMPScript that I borrowed from somewhere so can't lay claim.

Some solutions out there suggest returning a catch all '*' but for security reasons I would strongly discourage that.

Yes, someone could spoof the referer but we're not trying to stop that.  We're trying to make the client browser accept content response from our CloudPage.

The AMPScript gets the Referer from the HTTP request, uses RegEx to filter it to our known domains and then set a 'match' variable.


var @origin, @pattern, @match
SET @origin = HTTPRequestHeader("Referer")
SET @pattern = "^(https:\/\/(.*\.)?((yourdomain)\.com))($|\/)"
SET @match = RegExMatch(@origin, @pattern, 1)


Next we use SFMC ServerSide Javascript (SSJS) to return all the header information.  We pass through the 'match'ed domain variable and return it here.  A key element is the "Access-Control-Allow-Headers" response.  When using a non-standard content type for JSON this line is critical.

<script runat=server>

    var MATCH = Variable.GetValue("@match");
    if (!MATCH) { MATCH = null }
    HTTPHeader.SetValue("Access-Control-Allow-Methods","POST, OPTIONS");
    Platform.Response.SetResponseHeader("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Accept, Origin, Authorization");
    Platform.Response.SetResponseHeader("X-XSS-Protection","1; mode=block");
    Platform.Response.SetResponseHeader("Content-Security-Policy","default-src 'self'"); 


After that you can build your response with SSJS, switch back to AMPScript or just build out your response using normal CloudPage syntax.


No Trackbacks


Display comments as Linear | Threaded

No comments

The author does not allow comments to this entry

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Form options

Submitted comments will be subject to moderation before being displayed.