Enabling CORS with Domino to allow Cross Domain Requests

One of the issues currently with building web applications which use AJAX to access services is, typically you are blocked by the browser security from accessing another domain.  This can make it difficult to mix and match solutions and services even within your same company.

e.g. You want to access Domino Data via a REST API (either built in or custom) but serve the client web side using another server and or technology.


When building Web applications which typically use AJAX to call serverside APIs there has really only been 3 options in the past:

  • Use relative URLs – meaning the server side element has to be contactable under the same domain.
  • Use JSONP – which is workaround and involves dynamic script injection – for this to work though the serverside element has to support it and modify its output.
  • Use a proxy – where a server side element contactable under the same domain proxies the actual request serverside and then returns the response.

CORS is a method by which you can enable cross domain requests on the server.

According to wikipedia CORS – Cross-origin resource sharing is a mechanism that allows Javascript on a web page to make XMLHttpRequests to another domain, not the domain the Javascript originated from.

Domino Configuration

To enable CORS you need to add a new web site rule to any internet sites you wish to enable CORS for. 


Internet Site documents are found in the Server Names & Address Book (names.nsf normally)


Web site rules are created via an action button with the Internet Site document.

The rule details you need are:

Type of ruleHTTP Response headers
Incoming URL pattern*
HTTP Response codes200, 206
Expires HeadersAdd header only if application did not
Custom HeadersName: Access-Control-Allow-Origin      Value: *     Override
Name: Access-Control-Allow-Headers     Value: Origin, X-Requested-With, Content-Type, Accept     Override


To test your new shiny configuration – assuming your Domino sever is available on the internet – you can use this service: http://client.cors-api.appspot.com/client