This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

CORS Preflight and Passing CORS header in response

Posted on 04-06-2016 11:02 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I have a general query about how we design CORS in APIGEE.

When the consumer sends preflight CORS with http method as OPTIONS,APIGEE sends CORS headers to consumer to let consumer know about allowable origins,methods..

1) If Preflight is already happening,then do we also need to send CORS headers in each and every response APIGEE sending to consumer,through assign message policy in response path?

2)Does all browser based consumers sends preflight request with HTTP method as Options as initial request?

Solved Solved
3 6 858
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

1) Yes, according to the CORS standard, the Access-Control-Allow-xxxx headers should be sent with every response , not only in the response to the pre-flight request.

2) No, the preflight (OPTIONS) request is not sent before all requests. The preflight is sent only in special circumstances. You can read about those circumstances in the CORS specs.

reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

View solution in original post

Jump to Solution
6 REPLIES 6

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

1) Yes, according to the CORS standard, the Access-Control-Allow-xxxx headers should be sent with every response , not only in the response to the pre-flight request.

2) No, the preflight (OPTIONS) request is not sent before all requests. The preflight is sent only in special circumstances. You can read about those circumstances in the CORS specs.

reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Thankyou @Dino .The link was very helpful.I got the answer for my 2nd question more clearly.

Additionally,learnt the purpose of Allow origin set as {request.header.origin}.I had a misconception that we need to define static values.

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @RK4

check the below links for detailed info on how CORS work and enable the support on Apigee.

https://community.apigee.com/questions/3138/cors-policy-in-my-api-proxy-when-using-oauth-20.html#ans... and

https://community.apigee.com/questions/2890/add-usable-cors-policy-in-my-api-proxy-when-using.html

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

Thankyou @Maruti Chand

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @RK4 here is a sample API proxy that you can use as a reference for providing CORS support in your proxies. Please change the value of the "Access-Control-Allow-Origin" header (in Set CORS policy) to something more meaningful.

cors-rev1-2016-04-10.zip

cors-rev1-2016-04-10.zip
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

@Prithpal Bhogill Thanks..My notion was we should not give static domain names in Allow-origin and we should always give * or request.header.origin.

Because I thought if a new consumer wants to send request to API,then we need to make changes in the Allow-origin for adding his domain name.So,we need to make changes in Allow-origin as per consumer domain.

As per consumer,we need to make Proxy changes.Is this really good to do this way?

Does APIGEE proxy should be designed for backend API or should also consider consumer?

Jump to Solution
0 Likes