Microservices Engine:Configure a CORS policy

Configure a CORS policy

1. Log on to the MSE console.

2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

3. On the Gateways page, click the name of the gateway.

4. In the left-side navigation pane, choose Routes > Route Settings.

5. On the page that appears, find the route that you want to modify, and click Policies in the Actions column.

6. In the Policies section of the page that appears, click the CORS tab.

   • If no CORS policy exists, click Add Policy.

   • If a CORS policy already exists, click the icon to the right of CORS.

   Note

   The CORS policy does not take effect for a mock service. You must configure an actual backend test service.

7. On the CORS tab, configure the parameters and click OK.

   

   The following table describes the parameters of a CORS policy.

   Parameter	Description
   Allowed Origins	The origins that are allowed to access resources in the current server by using a browser. Configuration rules: To specify all origins, enter an asterisk (*). To specify a root domain name, use an asterisk (*) as a wildcard character in the domain name, such as *.example.com. To specify multiple origins, enter each origin in a separate row. Each origin must start with http:// or https://. Note The specified domain names are the values of the Access-Control-Allow-Origin header. If the Origin header of the request sent by the client matches an origin that is specified in this parameter, the Access-Control-Allow-Origin header in the response is set to the Origin value of the request.
   Allowed Methods	The allowed HTTP method for CORS requests. Valid values: GET, POST, PUT, DELETE, HEAD, OPTIONS, and PATCH. Note The specified methods are the value of the Access-Control-Allow-Methods header.
   Allowed Request Headers	The extra headers that are allowed in CORS requests other than the built-in headers of browsers. Configuration rules: To specify all request headers, enter an asterisk (*). To specify multiple request headers, enter each request header in a separate row. Note The specified headers are the value of the Access-Control-Allow-Headers header.
   Allowed Response Headers	The response headers that can be obtained by browsers and JavaScript files. Configuration rules: To specify all response headers, enter an asterisk (*). To specify multiple response headers, enter each response header in a separate row. Note The specified headers are the value of the Access-Control-Expose-Headers header.
   Allow to Carry Credentials	Specifies whether to allow credentials in CORS requests. Note The parameter value is the value of the Access-Control-Allow-Credentials header.
   Precheck Expiration Time	The maximum period of time during which a preflight request that uses the OPTIONS method is cached. Note The specified period of time is the value of the Access-Control-Max-Age header.
   Enable	Specifies whether to enable the CORS policy. If you enable the policy, CORS requests are allowed based on the policy. If you disable the policy, all CORS requests are rejected.

Verify the result

• Run the following command to check the result:

  curl -I -H "Origin: http://example.com" -H 'Host: www.test.com' -X OPTIONS http://121.196.XX.XX/demo/item/list

• A response that is similar to the following is returned:

  HTTP/1.1 200 OK
  allow: GET,HEAD,OPTIONS
  x-content-type-options: nosniff
  x-xss-protection: 1; mode=block
  cache-control: no-cache, no-store, max-age=0, must-revalidate
  pragma: no-cache
  expires: 0
  x-frame-options: DENY
  content-length: 0
  date: Tue, 30 Nov 2021 03:20:31 GMT
  x-envoy-upstream-service-time: 6
  access-control-allow-origin: http://example.com
  access-control-allow-credentials: true
  access-control-expose-headers: *
  server: istio-envoy