Re: Cors policy

Archie · 12-27-2023 06:14 AM

Hi Team,

For one of the endpoint test through apigee below error is seen.

Trace doesn’t shows this request.

note: there is a flow for optionspreflight which checks the supported http method initially.

dknezic

Have you compared the network tab in your browser and the URL of the requests against the host and path of your configured API proxy that you're using trace/debug on? (To ensure they match)

Archie

I see that there are multiple endpoints for that proxy and all of them works fine. But this endpoint which is newly added pointing to same target is throwing this error.

MarciSoos

Hi @Archie ,

This error indicates that the client (most likely a browser) expected Access-Control-Allow-Origin header with the same value that was sent in the request Origin header, but this response header either was not sent, or the value was different then the request Origin header value. See further information of how CORS works in the Fetch Standard.

Please check whether the targetserver or your proxy provide this response header?

You can find more information about CORS in the following links:

adding-cors-support-api-proxy

CORS policy in Apigee

Sites for testing purposes:

https://dinochiesa.github.io/cors-demonstrator/

https://test-cors.org/

If you still have problems, then please provide the request details (verb, all headers with values) and response details (statuscode, response headers with values).

Br,

Marcello

Archie

Trying hitting the url through application. But apigee trace doesn't have these requests coming in, not even the pre-flight. Anyway, I am giving details on the proxy setup which is working fine for other endpoints.

1. There is a sharedflow that sets the header (attached in proxy endpoint postflow). Here the hostname is passed through a variable in javascript

Javascript snippet:

var host = context.getVariable('response.header.access-control-allow-origin');

if (host !== null && host.trim() !== "")
{
context.setVariable("hostname", host);
}
else
{
context.setVariable("hostname", "*");
}

Assignmessage to set header

<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">{hostname}</Header>
<Header name="Access-Control-Allow-Headers">Values</Header>
<Header name="Access-Control-Max-Age">Values</Header>
<Header name="Access-Control-Allow-Methods">PUT, POST, GET, DELETE</Header>
</Headers>
</Set>

Proxy endpoint preflow

<Flow name="xyz">
<Description/>
<Request>
<Step>
<Name>OA-VerifyAccessToken</Name>
</Step>
</Request>
<Response/>
<Condition>(proxy.pathsuffix MatchesPath "/cards/xyz") and (request.verb = "POST")</Condition>
</Flow>

NOTE: There is a pre-flight flow with request.verb = "OPTIONS"

MarciSoos

Hi @Archie !
Thank you for the details.

1. It would be important to know what origin header is sent in the request.

As far as I know, useragents sends the origin header value in a form like

"https://myorigin.com"

So they expect the same value in the response.

Your configurations based on the variable "host" that AFAIK doesn't contains the protocol, only the DNS, like "myorigin.com"

So even if your policy did the job, it's possible that the response didn't contain the correct value.

It's also interesting that you cannot see the requests in the trace session, it could indicate that the requests not even hit your apigee runtime..?

I think we should focus on this problem first.

1. Could you please try to send request to that endpoint from another useragent, like curl/postman?
2. could you please attach the request/response details from the browser?

Thx,

M

Archie

Here is the request detail:

Field values i have hidden.