Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) is a mechanism for using HTTP headers to give access permission to specific resources that are on a different origin server to the document in use.
An example of a cross-origin request is an HTML page provided by domain “A”, which requests a file, such as a CSS stylesheet or JavaScript, provided by domain “B”. For security reasons, most browsers prevent cross-origin HTTP requests originated by scripts.
To allow CORS within a configuration for non-complex requests, you must add the Access-Control-Allow-Origin
header to the response.
Complex HTTP requests require additional headers. These are requests that may involve multiple parameters, headers, authentication, request bodies, or other specialized configurations. Any request apart from GET
, POST
, and HEAD
can be considered complex.
Enabling CORS permission for non-complex HTTP requests
The first step in allowing CORS access is to create a rule in Rules Engine:
- Access Azion Console.
- Select Products Menu > Edge Application.
- Select the application you want to work with.
- In the Rules Engine tab, create a new rule in Response Phase.
- Fill in the fields as in the following example:
Field | Value |
---|---|
Name | GET/POST/HEAD CORS |
Description | Allows CORS for GET requests in /your-uri |
Phase | Response Phase |
Criteria | ${uri} starts with /your-uri |
Behavior | Add Response Header Access-Control-Allow-Origin: * |
- Click the Save button.
You’ve now created a rule for non-complex request sharing with CORS.
- Access Real-Time Manager (RTM).
- Select Products Menu > Edge Application.
- Select the application you want to work with.
- In the Rules Engine tab, create a new rule in Response Phase.
- Fill in the fields as in the following example:
Field | Value |
---|---|
Name | GET/POST/HEAD CORS |
Description | Allows CORS for GET requests in /your-uri |
Criteria | ${uri} starts with /your-uri |
Behavior | Add Response Header Access-Control-Allow-Origin: * |
- Click the Save button.
You’ve now created a rule for non-complex request sharing with CORS.
Enabling CORS permission for complex HTTP requests
In the following example, CORS is being allowed through the OPTIONS
method. To create a new rule that allows you to enable resource sharing via complex requests, follow the steps:
- Access Azion Console.
- Select Products menu > Edge Application.
- Select the application you want to work with.
- In the Rules Engine tab, create a new rule in Response Phase.
- Fill in the fields:
Field | Value |
---|---|
Name | OPTIONS CORS |
Description | Allows CORS for OPTIONS requests in /your-uri, as well as non-complex requests |
Phase | Response Phase |
Criteria | ${uri} starts with /your-uri |
Behavior | Add Response Header Access-Control-Allow-Origin: * Add Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEAD Add Response Header Content-Type: application/json Add Response Header Allow: POST, GET, OPTIONS, HEAD Add Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD |
- Click the Save button.
- Access Real-Time Manager (RTM).
- Select Products menu > Edge Application.
- Select the application you want to work with.
- In the Rules Engine tab, create a new rule in Response Phase.
- Fill in the fields:
Field | Value |
---|---|
Name | OPTIONS CORS |
Description | Allows CORS for OPTIONS requests in /your-uri, as well as non-complex requests |
Criteria | ${uri} starts with /your-uri |
Behavior | Add Response Header Access-Control-Allow-Origin: * Add Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEAD Add Response Header Content-Type: application/json Add Response Header Allow: POST, GET, OPTIONS, HEAD Add Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD |
- Click the Save button.
Enabling CORS permission for specific origins
To enable CORS within a configuration for specific origin servers, you’ll need to enable the Application Accelerator module:
- Access Azion Console.
- Select Products Menu > Edge Application.
- Select the application you want to work with.
- In the Main Settings tab, activate the Application Accelerator switch.
- Click the Save button.
- Access Real-Time Manager (RTM).
- Select Products Menu > Edge Application.
- Select the application you want to work with.
- In the Main Settings tab, activate the Application Accelerator switch.
- Click the Save button.
Now you need to create a rule that processes requests from multiple origins:
- Go to the Rules Engine tab.
- Click the + Rule button.
- Fill in the fields as in the following example:
Field | Value |
---|---|
Name | Multiple origins CORS |
Phase | Response Phase |
Criteria | ${http_origin} is equal http://your.domain1.com OR ${http_origin} is equal http://your.domain2.com OR ${http_origin} is equal http://your.domain3.com |
Behavior | Add Response Header Access-Control-Allow-Origin: * Add Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEAD Add Response Header Content-Type: application/json Add Response Header Allow: POST, GET, OPTIONS, HEAD Add Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD |
- Click the Save button.
- Go to the Rules Engine tab.
- Click the New Rule button and select Response Phase.
- Fill in the fields as in the following example:
Field | Value |
---|---|
Name | Multiple origins CORS |
Criteria | ${http_origin} is equal http://your.domain1.com OR ${http_origin} is equal http://your.domain2.com OR ${http_origin} is equal http://your.domain3.com |
Behavior | Add Response Header Access-Control-Allow-Origin: * Add Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEAD Add Response Header Content-Type: application/json Add Response Header Allow: POST, GET, OPTIONS, HEAD Add Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD |
- Click the Save button.