Can someone tell me if this is by design please :
My CORS policy
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CORS continueOnError="false" enabled="true" name="CORS-Response-v0">
<DisplayName>CORS-Response-v0</DisplayName>
<AllowOrigins>{request.header.origin}</AllowOrigins>
<AllowMethods>{into.cors-handling.operations}</AllowMethods>
<AllowHeaders>origin, x-requested-with, accept, content-type, authorization, x-api-key</AllowHeaders>
<ExposeHeaders>*</ExposeHeaders>
<MaxAge>3628800</MaxAge>
<AllowCredentials>false</AllowCredentials>
<GeneratePreflightResponse>true</GeneratePreflightResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</CORS>
request.header.origin = http://localhost:8998. I've used an assign message policy to push that value out as a response header and sure enough it looks like this from curl :
< Apigee-CORS-Headers-IndicatorDebug2: http://localhost:8998
So first I make an OPTIONS request to my simple proxy hitting the CORS policy and it returns for the CORS headers I'm interested in as expected:
< Access-Control-Request-Method: GET
< Origin: http://localhost:8998
No problem I immediately call a GET against the same proxy and of course the same CORS policy (via same shared flow now called in the TargetEndpoint) passing the same Origin of http://localhost:8998
But what I get back is :
< Access-Control-Allow-Origin: *
Why am I not getting back these headers per the policy
< Access-Control-Request-Method: GET
< Origin: http://localhost:8998
as with the OPTIONS request? I changed the policy to this :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CORS continueOnError="false" enabled="true" name="CORS-Response-v0">
<DisplayName>CORS-Response-v0</DisplayName>
<AllowOrigins>http://localhost:8998</AllowOrigins>
<AllowMethods>{into.cors-handling.operations}</AllowMethods>
<AllowHeaders>origin, x-requested-with, accept, content-type, authorization, x-api-key</AllowHeaders>
<ExposeHeaders>*</ExposeHeaders>
<MaxAge>3628800</MaxAge>
<AllowCredentials>false</AllowCredentials>
<GeneratePreflightResponse>true</GeneratePreflightResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</CORS>
And it's giving me
< Access-Control-Allow-Origin: *
I should be getting :
< Access-Control-Request-Method: GET
< Origin: http://localhost:8998
Right? Or help!
Solved! Go to Solution.
Just replying to my own post as you do ....
I seem to have fixed it. I'm now getting
< Access-Control-Allow-Origin: http://localhost:8998
Not helpful but not entirely sure what fixed it. What I did :
1. Restarted the emulator
2. Made sure my CORS policy was last in the shared flow.
3. Made sure each <Step> only had 1 policy.
I had an AssignMessageHeader Policy in the flow after the CORS Policy setting some headers (mostly for debugging). I made sure the CORS Policy was last in the shared flow in case that policy was affecting the previously set CORS Headers.
I had 2 Policies in the same Step like this
<Step>
<Name>CORS-Response-v0</Name>
<Name>AssignMessage-AddCORSResponseHeaderDebug</Name>
<Condition>apim.cors.headers-indicator == true</Condition>
</Step>
Just replying to my own post as you do ....
I seem to have fixed it. I'm now getting
< Access-Control-Allow-Origin: http://localhost:8998
Not helpful but not entirely sure what fixed it. What I did :
1. Restarted the emulator
2. Made sure my CORS policy was last in the shared flow.
3. Made sure each <Step> only had 1 policy.
I had an AssignMessageHeader Policy in the flow after the CORS Policy setting some headers (mostly for debugging). I made sure the CORS Policy was last in the shared flow in case that policy was affecting the previously set CORS Headers.
I had 2 Policies in the same Step like this
<Step>
<Name>CORS-Response-v0</Name>
<Name>AssignMessage-AddCORSResponseHeaderDebug</Name>
<Condition>apim.cors.headers-indicator == true</Condition>
</Step>