Cross-Origin Resource Sharing (CORS) for Salesforce.com

By default browsers limit access to cross-origin resources. For instance, if a JavaScript app is loaded from foo.com then it isn’t allowed to access content from bar.com because this would be a significant security hole. Cross-Origin Resource Sharing (CORS) is the way to workaround this limitation in modern browsers.

Salesforce.com has a great REST api but unfortunately it doesn’t yet have native CORS support (but you can vote for this feature). Having CORS support comes in handy with JavaScript UIs on top of the Salesforce REST APIs. Luckily you can easily workaround this by proxying the API requests through the server that is serving the JavaScript UI so that the REST requests are not cross-origin. But it is tedious to set this up for every app, so I created a generic Salesforce CORS proxy.

For demo purposes the CORS proxy is available at: https://sfdc-cors.herokuapp.com

So you can just replace your Salesforce domain name with sfdc-cors.herokuapp.com to use the CORS proxy. Here is an example:

$ curl -i -H 'Authorization: Bearer YOUR_SESSION_ID' https://sfdc-cors.herokuapp.com/services/data/v30.0/query/?q=select%20Id%20from%20Account
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *

The HTTP Response contained the necessary CORS header on the GET request. An OPTIONS request also returns the right response headers to allow the request.

This app is open source so you can easily deploy it on your own Heroku app or in your own environment for production usage.

One of the other nice features of this proxy is that it figures out which Salesforce instance to connect to. So you no longer need to specify something like na9.salesforce.com – instead just use one domain name for all of your apps and instances.

I hope this is useful for you. Let me know if you have any questions or feedback.