API Gateway:Configure a CORS policy

Configure a CORS policy

1. Log on to the Cloud-native API Gateway console.

2. In the left-side navigation pane, click API. In the top navigation bar, select a region.

3. Click the target API. On the API details page, click the name of the target route. Click the Configure Policy tab and click CORS on the left.

   Note

   The CORS policy does not take effect for a mock service. You must configure an actual backend test service.

   Configure the parameters on the right and click Save. The following table describes the parameters:

   Parameter	Description
   Enable	Specifies whether to enable the CORS policy. If you enable the policy, CORS requests are allowed based on the policy. If you disable the policy, all CORS requests are rejected.
   Allowed Origins	The origins that are allowed to access resources in the current server by using a browser. Configuration rules: To allow all domain names to access the server, specify *. To specify a root domain name, use an asterisk (*) as a wildcard in the domain name, such as *.example.com. To specify multiple origins, enter each origin in a separate row. Each origin must start with http:// or https://. Note The specified domain names are the values of the Access-Control-Allow-Origin header. If the Origin header of the request sent by the client matches an origin that is specified in this parameter, the Access-Control-Allow-Origin header in the response is set to the Origin value of the request.
   Allowed Methods	The allowed HTTP method for CORS requests. Valid values: GET, POST, PUT, DELETE, HEAD, OPTIONS, and PATCH. Note The specified methods are the value of the Access-Control-Allow-Methods header.
   Trusted Request Headers	The extra headers that are allowed in CORS requests other than the built-in headers of browsers. Configuration rules: To specify all request headers, enter an asterisk (*). To specify multiple request headers, enter each request header in a separate row. Note The specified headers are the value of the Access-Control-Allow-Headers header.
   Trusted Response Headers	The response headers that can be obtained by browsers and JavaScript files. Configuration rules: To specify all response headers, enter an asterisk (*). To specify multiple response headers, enter each response header in a separate row. Note The specified headers are the value of the Access-Control-Expose-Headers header.
   Allow to Carry Credentials	Specifies whether to allow credentials in CORS requests. Note The parameter value is the value of the Access-Control-Allow-Credentials header.
   Precheck Expiration Time	The maximum period of time during which a preflight request that uses the OPTIONS method is cached. Note The specified period of time is the value of the Access-Control-Max-Age header.

Verify the result

• Run the following command to check the result:

  curl -I -H "Origin: http://example.com" -H "Access-Control-Request-Method: GET" -H 'Host: www.test.com' -X OPTIONS http://121.196.XX.XX/demo/item/list 

• A response that is similar to the following is returned:

  HTTP/1.1 200 OK
  allow: GET,HEAD,OPTIONS
  x-content-type-options: nosniff
  x-xss-protection: 1; mode=block
  cache-control: no-cache, no-store, max-age=0, must-revalidate
  pragma: no-cache
  expires: 0
  x-frame-options: DENY
  content-length: 0
  date: Tue, 30 Nov 2021 03:20:31 GMT
  x-envoy-upstream-service-time: 6
  access-control-allow-origin: http://example.com
  access-control-allow-credentials: true
  access-control-allow-methods: GET,POST,PUT,DELETE,HEAD,OPTIONS
  access-control-expose-headers: *
  server: istio-envoy