The header that you need is:
In your published rest service you can create an operation for the “OPTIONS” request. Add that to your published service and create a microflow that creates the access-control-allow-origin header with the value of the url that you are access it from (or you can use an * but be cautious of using the wild card).
Here is an example:
Hope this helps!
You might want to use Mendix 8.1.
In the release notes, it says: “We changed the behavior of
OPTIONS requests to published REST services. Authentication is no longer required when you define an
OPTIONS microflow. In addition, when CORS is checked, you no longer need an
OPTIONS microflows; the service will respond to
OPTIONS requests with CORS headers.“
The Same Origin Policy (SOP) is a security measure standardized among browsers. It is needed to prevent Cross-Site Request Forgery (CSRF). The "Origin" mostly refers to a "Domain". Same Origin Policy prevents different origins (domains) from interacting with each other, to prevent attacks such as CSRF (Cross Site Request Forgery) through such requests, like AJAX. In other words, the browser would not allow any site to make a request to any other site. Without Same Origin Policy , any web page would be able to access the DOM of other pages.
If you need to enable CORS on the server in case of localhost, you need to have the following on request header.