Cross-origin resource sharing (CORS) is an important security policy that allows web application servers to perform cross-origin access control. This helps implement cross-origin secure data transmission. Cloud-native gateways allow you to configure CORS policies at the route level. You can access resources from a specific domain name or request method based on your business requirements. This prevents security risks such as cross-site request forgery and ensures the reliability and security of services.
Configure a CORS policy
Log on to the MSE console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways. On the Gateways page, click the name of the gateway.
In the left-side navigation pane, click Routes, and click the Routes tab.
On the Routes tab, find the routing rule that you want to modify and click Policies in the Actions column.
On the Policies tab, click CORS.
NoteThe CORS policy does not take effect for a mock service. You must configure an actual backend test service.
Configure the parameters on the CORS tab and click Save.
Parameter
Description
Allowed Origins
The origins that are allowed to access resources in the current server by using a browser. Configuration rules:
To specify all origins, enter an asterisk (
*).To specify a root domain name, use an asterisk (*) as a wildcard character in the domain name, such as
*.example.com.To specify multiple origins, enter each origin in a separate row. Each origin must start with
http://orhttps://.
NoteThe specified domain names are the values of the
Access-Control-Allow-Originheader. If the Origin header of the request sent by the client matches an origin that is specified in this parameter, theAccess-Control-Allow-Originheader in the response is set to the Origin value of the request.Allowed Methods
The allowed HTTP method for CORS requests. Valid values: GET, POST, PUT, DELETE, HEAD, OPTIONS, and PATCH.
NoteThe specified methods are the value of the Access-Control-Allow-Methods header.
Allowed Request Headers
The extra headers that are allowed in CORS requests other than the built-in headers of browsers. Configuration rules:
To specify all request headers, enter an asterisk (
*).To specify multiple request headers, enter each request header in a separate row.
NoteThe specified headers are the value of the Access-Control-Allow-Headers header.
Allowed Response Headers
The response headers that can be obtained by browsers and JavaScript files. Configuration rules:
To specify all response headers, enter an asterisk (
*).To specify multiple response headers, enter each response header in a separate row.
NoteThe specified headers are the value of the Access-Control-Expose-Headers header.
Allow to Carry Credentials
Specifies whether to allow credentials in CORS requests.
NoteThe parameter value is the value of the Access-Control-Allow-Credentials header.
Precheck Expiration Time
The maximum period of time during which a preflight request that uses the OPTIONS method is cached.
NoteThe specified period of time is the value of the Access-Control-Max-Age header.
Enable
Specifies whether to enable the CORS policy.Enable
If you enable the policy, CORS requests are allowed based on the policy.
If you disable the policy, all CORS requests are rejected.
Verify the result
Run the following command to check the result:
curl -I -H "Origin: http://example.com" -H 'Host: www.test.com' -X OPTIONS http://121.196.XX.XX/demo/item/listA response that is similar to the following is returned:
HTTP/1.1 200 OK allow: GET,HEAD,OPTIONS x-content-type-options: nosniff x-xss-protection: 1; mode=block cache-control: no-cache, no-store, max-age=0, must-revalidate pragma: no-cache expires: 0 x-frame-options: DENY content-length: 0 date: Tue, 30 Nov 2021 03:20:31 GMT x-envoy-upstream-service-time: 6 access-control-allow-origin: http://example.com access-control-allow-credentials: true access-control-expose-headers: * server: istio-envoy
References
For more information about CORS, see Cross-Origin Resource Sharing (CORS).