Cors policy

Hi Team,

For one of the endpoint test through apigee below error is seen.

IMG_0186.jpeg

Trace doesn’t shows this request.

note: there is a flow for optionspreflight which checks the supported http method initially.

0 6 249
6 REPLIES 6

Have you compared the network tab in your browser and the URL of the requests against the host and path of your configured API proxy that you're using trace/debug on? (To ensure they match)

I see that there are multiple endpoints for that proxy and all of them works fine. But this endpoint which is newly added pointing to same target is throwing this error.

Hi @Archie , 

This error indicates that the client (most likely a browser) expected Access-Control-Allow-Origin header with the same value that was sent in the request Origin header, but this response header either was not sent, or the value was different then the request Origin header value. See further information of how CORS works in the Fetch Standard.

Please check whether the targetserver or your proxy provide this response header?

You can find more information about CORS in the following links:

adding-cors-support-api-proxy

CORS policy in Apigee 

Sites for testing purposes:

https://dinochiesa.github.io/cors-demonstrator/

https://test-cors.org/

If you still have problems, then please provide the request details (verb, all headers with values) and response details (statuscode, response headers with values).

Br,

Marcello

Trying hitting the url through application. But apigee trace doesn't have these requests coming in, not even the pre-flight. Anyway, I am giving details on the proxy setup which is working fine for other endpoints.

1. There is a sharedflow that sets the header (attached in proxy endpoint postflow). Here the hostname is passed through a variable in javascript

Javascript snippet:

var host = context.getVariable('response.header.access-control-allow-origin');


if (host !== null && host.trim() !== "")
{
context.setVariable("hostname", host);
}
else
{
context.setVariable("hostname", "*");
}

Assignmessage to set header

<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">{hostname}</Header>
<Header name="Access-Control-Allow-Headers">Values</Header>
<Header name="Access-Control-Max-Age">Values</Header>
<Header name="Access-Control-Allow-Methods">PUT, POST, GET, DELETE</Header>
</Headers>
</Set>

Proxy endpoint preflow

<Flow name="xyz">
<Description/>
<Request>
<Step>
<Name>OA-VerifyAccessToken</Name>
</Step>
</Request>
<Response/>
<Condition>(proxy.pathsuffix MatchesPath "/cards/xyz") and (request.verb = "POST")</Condition>
</Flow>

NOTE: There is a pre-flight flow with request.verb = "OPTIONS"

Hi @Archie !
Thank you for the details.

1. It would be important to know what origin header is sent in the request.

As far as I know, useragents sends the origin header value in a form like

"https://myorigin.com"

So they expect the same value in the response.

Your configurations based on the variable "host" that AFAIK doesn't contains the protocol, only the DNS, like "myorigin.com"

So even if your policy did the job, it's possible that the response didn't contain the correct value.

It's also interesting that you cannot see the requests in the trace session, it could indicate that the requests not even hit your apigee runtime..? 

I think we should focus on this problem first. 

1. Could you please try to send request to that endpoint from another useragent, like curl/postman?
2. could you please attach the request/response details from the browser?

Thx,

M

Here is the request detail: 

MicrosoftTeams-image (3).png

Field values i have hidden.