Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) is a mechanism for using HTTP headers to give access permission to specific resources that are on a different origin server to the document in use.
An example of a cross-origin request is an HTML page provided by domain “A”, which requests a file, such as a CSS stylesheet or JavaScript, provided by domain “B”. For security reasons, most browsers prevent cross-origin HTTP requests originated by scripts.
To allow CORS within a configuration for non-complex requests, you must add the Access-Control-Allow-Origin header to the response.
Complex HTTP requests require additional headers. These are requests that may involve multiple parameters, headers, authentication, request bodies, or other specialized configurations. Any request apart from GET, POST, and HEAD can be considered complex.
Enabling CORS permission for non-complex HTTP requests
The first step in allowing CORS access is to create a rule in Rules Engine:
- Access Azion Console.
- Select Products Menu > Edge Application.
- Select the application you want to work with.
- In the Rules Engine tab, create a new rule in Response Phase.
- Fill in the fields as in the following example:
| Field | Value |
|---|---|
| Name | GET/POST/HEAD CORS |
| Description | Allows CORS for GET requests in /your-uri |
| Phase | Response Phase |
| Criteria | ${uri} starts with /your-uri |
| Behavior | Add Response Header Access-Control-Allow-Origin: * |
- Click the Save button.
You’ve now created a rule for non-complex request sharing with CORS.
Enabling CORS permission for complex HTTP requests
In the following example, CORS is being allowed through the OPTIONS method. To create a new rule that allows you to enable resource sharing via complex requests, follow the steps:
- Access Azion Console.
- Select Products menu > Edge Application.
- Select the application you want to work with.
- In the Rules Engine tab, create a new rule in Response Phase.
- Fill in the fields:
| Field | Value |
|---|---|
| Name | OPTIONS CORS |
| Description | Allows CORS for OPTIONS requests in /your-uri, as well as non-complex requests |
| Phase | Response Phase |
| Criteria | ${uri} starts with /your-uri |
| Behavior | Add Response Header Access-Control-Allow-Origin: *Add Response Header Access-Control-Allow-Headers: Content-Type, AuthorizationAdd Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEADAdd Response Header Content-Type: application/jsonAdd Response Header Allow: POST, GET, OPTIONS, HEADAdd Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD |
- Click the Save button.
Enabling CORS permission for specific origins
To enable CORS within a configuration for specific origin servers, you’ll need to enable the Application Accelerator module:
- Access Azion Console.
- Select Products Menu > Edge Application.
- Select the application you want to work with.
- In the Main Settings tab, activate the Application Accelerator switch.
- Click the Save button.
Now you need to create a rule that processes requests from multiple origins:
- Go to the Rules Engine tab.
- Click the + Rule button.
- Fill in the fields as in the following example:
| Field | Value |
|---|---|
| Name | Multiple origins CORS |
| Phase | Response Phase |
| Criteria | ${http_origin} is equal http://your.domain1.comOR ${http_origin} is equal http://your.domain2.comOR ${http_origin} is equal http://your.domain3.com |
| Behavior | Add Response Header Access-Control-Allow-Origin: *Add Response Header Access-Control-Allow-Headers: Content-Type, AuthorizationAdd Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEADAdd Response Header Content-Type: application/jsonAdd Response Header Allow: POST, GET, OPTIONS, HEADAdd Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD |
- Click the Save button.