This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

CORS Headers set to 'Access-Control-Allow-Origin: *' despite passing specific Origin

Posted on 06-08-2023 07:34 AM
bmcd77
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Can someone tell me if this is by design please : 
My CORS policy

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<CORS continueOnError="false" enabled="true" name="CORS-Response-v0">
    <DisplayName>CORS-Response-v0</DisplayName>
    <AllowOrigins>{request.header.origin}</AllowOrigins>
    <AllowMethods>{into.cors-handling.operations}</AllowMethods>
    <AllowHeaders>origin, x-requested-with, accept, content-type, authorization, x-api-key</AllowHeaders>
    <ExposeHeaders>*</ExposeHeaders>
    <MaxAge>3628800</MaxAge>
    <AllowCredentials>false</AllowCredentials>
    <GeneratePreflightResponse>true</GeneratePreflightResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</CORS>

 

request.header.origin = http://localhost:8998. I've used an assign message policy to push that value out as a response header and sure enough it looks like this from curl :

 

< Apigee-CORS-Headers-IndicatorDebug2: http://localhost:8998

 

So first I make an OPTIONS request to my simple proxy hitting the  CORS policy and it returns for the CORS headers I'm interested in as expected:

 

< Access-Control-Request-Method: GET
< Origin: http://localhost:8998

 

No problem I immediately call a GET against the same proxy and of course the same CORS policy (via same shared flow now called in the TargetEndpoint) passing the same Origin of http://localhost:8998

But what I get back is :

 

< Access-Control-Allow-Origin: *

 

Why am I not getting back these headers per the policy

 

< Access-Control-Request-Method: GET
< Origin: http://localhost:8998

 

as with the OPTIONS request? I changed the policy to this :

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CORS continueOnError="false" enabled="true" name="CORS-Response-v0">
    <DisplayName>CORS-Response-v0</DisplayName>
    <AllowOrigins>http://localhost:8998</AllowOrigins>
    <AllowMethods>{into.cors-handling.operations}</AllowMethods>
    <AllowHeaders>origin, x-requested-with, accept, content-type, authorization, x-api-key</AllowHeaders>
    <ExposeHeaders>*</ExposeHeaders>
    <MaxAge>3628800</MaxAge>
    <AllowCredentials>false</AllowCredentials>
    <GeneratePreflightResponse>true</GeneratePreflightResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</CORS>

 

And it's giving me 

 

< Access-Control-Allow-Origin: *

 

I should be getting :

 

< Access-Control-Request-Method: GET
< Origin: http://localhost:8998

 

Right? Or help!

Solved Solved
0 1 585
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
bmcd77
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Just replying to my own post as you do ....

I seem to have fixed it. I'm now getting

< Access-Control-Allow-Origin: http://localhost:8998

Not helpful but not entirely sure what fixed it. What I did :

1. Restarted the emulator 
2. Made sure my CORS policy was last in the shared flow.
3. Made sure each <Step> only had 1 policy.

I had an AssignMessageHeader Policy in the flow after the CORS Policy setting some headers (mostly for debugging). I made sure the CORS Policy was last in the shared flow in case that policy was affecting the previously set CORS Headers.

I had 2 Policies in the same Step like this 

    <Step>
        <Name>CORS-Response-v0</Name>
        <Name>AssignMessage-AddCORSResponseHeaderDebug</Name>
        <Condition>apim.cors.headers-indicator == true</Condition>
    </Step>
I think that was it but oddly the OPTIONS request hitting the same shared flow was working!




View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
bmcd77
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Just replying to my own post as you do ....

I seem to have fixed it. I'm now getting

< Access-Control-Allow-Origin: http://localhost:8998

Not helpful but not entirely sure what fixed it. What I did :

1. Restarted the emulator 
2. Made sure my CORS policy was last in the shared flow.
3. Made sure each <Step> only had 1 policy.

I had an AssignMessageHeader Policy in the flow after the CORS Policy setting some headers (mostly for debugging). I made sure the CORS Policy was last in the shared flow in case that policy was affecting the previously set CORS Headers.

I had 2 Policies in the same Step like this 

    <Step>
        <Name>CORS-Response-v0</Name>
        <Name>AssignMessage-AddCORSResponseHeaderDebug</Name>
        <Condition>apim.cors.headers-indicator == true</Condition>
    </Step>
I think that was it but oddly the OPTIONS request hitting the same shared flow was working!




Jump to Solution
0 Likes
Top Solution Authors
View all