Hello,
adding the CORS policy is not enough to support CORS.
You should:
- Handling CORS preflight requests
- Attach the CORS policy to the response preflow of the TargetEndpoint of the API proxy.
There are more exaustive examples here and here.
In your proxy endpoint you need that flow:
<!-- CORS -->
<Flow name="OptionsPreFlight">
<Request>
<Step>
<Name>CORS</Name>
</Step>
</Request>
<Response>
<Step>
<Name>AM_Set-Allow-Credential</Name>
</Step>
</Response>
<Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>
</Flow>
There is also a bug: https://www.googlecloudcommunity.com/gc/Apigee/CORS-Policy-doesn-t-generate-header-Access-Control-Al...
And you must disable routing for preflight:
<RouteRule name="NoRoute">
<Condition>request.verb == "OPTIONS"</Condition>
</RouteRule>
Than, you should also attach the CORS policy in the Response Preflow of th TargetEndpoint:
<TargetEndpoint name="default">
<PreFlow name="PreFlow">
<Request>
<Step>
<Name>CORS</Name>
</Step>
</Request>
<Response/>
</PreFlow>
<Flows/>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
</TargetEndpoint>
LinkedIn
Twitter
