For security reasons, browsers don’t allow JavaScript network calls to resources outside the current origin. Cross-Origin Resource Sharing or CORS solves this restriction, as it lets you specify which cross-domain requests are allowed.

By default, all cross-origin requests to the REST API are allowed. To restrict the origins list you can define the jmix.cors.allowed-origins application property and other CORS properties.

CORS settings are automatically applied to the following URLs:

In order to replace the default CORS configuration provided by Jmix, register a bean with the corsConfigurationSource name in your project. In this case, the properties mentioned above will not work.

Refer to Spring Security Documentation for more information on CORS.