CORS Configuration 

By default, the Cross-Origin Resource Sharing (CORS) is disabled for REST API. To enable it, configure a list of origins that are allowed to access your REST API resources via Resources/config/oro/app.yml in any bundle or config/config.yml of your application, e.g.:

oro_api:
    cors:
        allow_origins:
            - 'https://example.com'

You can also configure other CORS options. Here is the default configuration:

oro_api:
    cors:
        # The amount of seconds the user agent is allowed to cache CORS preflight requests.
        preflight_max_age: 600

        # The list of origins that are allowed to send CORS requests.
        allow_origins: []

        # Indicates whether CORS request can include user credentials.
        # This option determines whether the "Access-Control-Allow-Credentials" response header
        # should be passed within CORS requests.
        allow_credentials: false

        # The list of headers that are allowed to send by CORS requests.
        # This option specifies a list of headers that are sent
        # in the "Access-Control-Allow-Headers" response header of CORS preflight requests
        allow_headers: []

        # The list of headers that can be exposed by CORS responses.
        # This option specifies a list of headers that are sent
        # in the "Access-Control-Expose-Headers" response header of CORS requests
        expose_headers: []