The ArcGIS API for JavaScript and CORS

This topic specifically discusses CORS (Cross Origin Resource Sharing). Additional information on working with proxies can be found in the proxies guide topic.

The ArcGIS API for JavaScript has automatic detection for CORS. CORS allows web applications to bypass a browser's same origin policy and access resources or services on other servers/domains. When both the web server and the browser support CORS, a proxy is not required to do cross-domain requests. This is helpful as it can:

  • Provide a performance boost since the web application no longer has to send a request back to its server, wait for the server to access the desired resource, and interpret the result before sending it back to the client.
  • Simplify development as it is no longer necessary to maintain a proxy page on your server.

To support CORS, web servers must be pre-configured for it and browsers must be able to support it. For additional details on enabling this in a web server, please visit enable-cors.org.

Handling CORS in application workflow

Requests will always be made with the assumption that CORS is supported. If your server doesn't yet support CORS, you can enable a proxy rule.

Although the ArcGIS API for JavaScript automatically assumes CORS support, we do recommend configuring a proxy if you are unsure about whether the services in your application are enabled for it. This proxy can be referenced within the application via the proxyUrl. By adding this, the application has a fallback mechanism in place in case the service request fails due to lack of CORS support.

Please note that prior to version 10.1, ArcGIS Server services were not enabled for CORS. If needing to work with older versions of ArcGIS Server, you will need to make a request to the service via a proxy.

Additional information