Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) is a mechanism for using HTTP headers to give access permission to specific resources that are on a different origin server to the document in use.

An example of a cross-origin request is an HTML page provided by domain “A”, which requests a file, such as a CSS stylesheet or JavaScript, provided by domain “B”. For security reasons, most browsers prevent cross-origin HTTP requests originated by scripts.

To allow CORS within a configuration for non-complex requests, you must add the Access-Control-Allow-Origin header to the response.

Complex HTTP requests require additional headers. These are requests that may involve multiple parameters, headers, authentication, request bodies, or other specialized configurations. Any request apart from GET, POST, and HEAD can be considered complex.


Enabling CORS permission for non-complex HTTP requests

The first step in allowing CORS access is to create a rule in Rules Engine:

  1. Access Azion Console.
  2. Select Products Menu > Edge Application.
  3. Select the application you want to work with.
  4. In the Rules Engine tab, create a new rule in Response Phase.
  5. Fill in the fields as in the following example:
FieldValue
NameGET/POST/HEAD CORS
DescriptionAllows CORS for GET requests in /your-uri
PhaseResponse Phase
Criteria${uri} starts with /your-uri
BehaviorAdd Response Header Access-Control-Allow-Origin: *
  1. Click the Save button.

You’ve now created a rule for non-complex request sharing with CORS.


Enabling CORS permission for complex HTTP requests

In the following example, CORS is being allowed through the OPTIONS method. To create a new rule that allows you to enable resource sharing via complex requests, follow the steps:

  1. Access Azion Console.
  2. Select Products menu > Edge Application.
  3. Select the application you want to work with.
  4. In the Rules Engine tab, create a new rule in Response Phase.
  5. Fill in the fields:
FieldValue
NameOPTIONS CORS
DescriptionAllows CORS for OPTIONS requests in /your-uri, as well as non-complex requests
PhaseResponse Phase
Criteria${uri} starts with /your-uri
BehaviorAdd Response Header Access-Control-Allow-Origin: *
Add Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEAD
Add Response Header Content-Type: application/json
Add Response Header Allow: POST, GET, OPTIONS, HEAD
Add Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD
  1. Click the Save button.

Enabling CORS permission for specific origins

To enable CORS within a configuration for specific origin servers, you’ll need to enable the Application Accelerator module:

  1. Access Azion Console.
  2. Select Products Menu > Edge Application.
  3. Select the application you want to work with.
  4. In the Main Settings tab, activate the Application Accelerator switch.
  5. Click the Save button.

Now you need to create a rule that processes requests from multiple origins:

  1. Go to the Rules Engine tab.
  2. Click the + Rule button.
  3. Fill in the fields as in the following example:
FieldValue
NameMultiple origins CORS
PhaseResponse Phase
Criteria${http_origin} is equal http://your.domain1.com
OR ${http_origin} is equal http://your.domain2.com
OR ${http_origin} is equal http://your.domain3.com
BehaviorAdd Response Header Access-Control-Allow-Origin: *
Add Response Header Access-Control-Request-Method: POST, GET, OPTIONS, HEAD
Add Response Header Content-Type: application/json
Add Response Header Allow: POST, GET, OPTIONS, HEAD
Add Response Header Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD
  1. Click the Save button.

Contributors