Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) is a mechanism for using HTTP headers to give access permission to specific resources that are on a different origin server to the document in use.
An example of a cross-origin request is an HTML page provided by domain “A”, which requests a file, such as a CSS stylesheet or JavaScript, provided by domain “B”. For security reasons, most browsers prevent cross-origin HTTP requests originated by scripts.
To allow CORS within a configuration for non-complex requests, you must add the Access-Control-Allow-Origin header to the response.
Complex HTTP requests require additional headers. These are requests that may involve multiple parameters, headers, authentication, request bodies, or other specialized configurations. Any request apart from GET, POST, and HEAD can be considered complex.
CORS permission for non-complex HTTP requests
Section titled CORS permission for non-complex HTTP requestsThe first step in allowing CORS access is to create a rule in Rules Engine:
- Access Real-Time Manager (RTM).
- Select Products Menu > Edge Application.
- In the Rules Engine tab, create a new rule in Response Phase.
- Fill in the fields as in the following example:
| Field | Value |
|---|---|
| Name | GET/POST/HEAD CORS |
| Description | Allows CORS for GET requests in /your-uri |
| Criteria | ${uri} starts with /your-uri |
| Behavior | Add Response Header Access-Control-Allow-Origin: * |
- Click the Save button.
You’ve now created a rule for non-complex request sharing with CORS.
CORS permission for complex HTTP requests
Section titled CORS permission for complex HTTP requestsIn the following example, CORS is being allowed through the OPTIONS method. To create a new rule that allows you to enable resource sharing via complex requests, follow the steps:
- Access RTM.
- Select Products menu > Edge Application.
- In the Rules Engine tab, create a new rule in Response Phase.
- Fill in the fields:
| Field | Value |
|---|---|
| Name | OPTIONS CORS |
| Description | Allows CORS for OPTIONS requests in /your-uri, as well as non-complex requests |
| Criteria | ${uri} starts with /your-uri |
| Behavior | Add Response Header Access-Control-Allow-Origin: *Add Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEADAdd Response Header Content-Type: application/jsonAdd Response Header Allow: POST, GET, OPTIONS, HEADAdd Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD |
- Click the Save button.
CORS permission for specific origins
Section titled CORS permission for specific originsTo enable CORS within a configuration for specific origin servers, you’ll need to enable the Application Acceleration module:
- Access RTM.
- Select Products Menu > Edge Application.
- Edit the required Edge Application configuration.
- In the Main Settings tab, activate the Application Acceleration switch.
- Click the Save button.
Now you need to create a rule that processes requests from multiple origins:
- Go to the Rules Engine tab.
- Click the Add Rule button and select Response Phase.
- Fill in the fields as in the following example:
| Field | Value |
|---|---|
| Name | Multiple origins CORS |
| Criteria | ${http_origin} is equal http://your.domain1.comOR ${http_origin} is equal http://your.domain2.comOR ${http_origin} is equal http://your.domain3.com |
| Behavior | Add Response Header Access-Control-Allow-Origin: *Add Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEADAdd Response Header Content-Type: application/jsonAdd Response Header Allow: POST, GET, OPTIONS, HEADAdd Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD |
- Click the Save button.
Contributors
