Cross-Origin Resources Sharing (CORS) Headers

Overview

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to specify origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

This is useful when a site resource needs to load resources from a different host. CORS headers inform the browser that it is safe to allow these cross-origin requests.

When this rule is configured, CORS headers are dynamically generated dynamically and added to the origin response, detailing which cross-origin requests are allowed. This rule can also be used to specify additional preflight CORS processing behaviors.

Configure the Rule

Here, we'll describe how to configure the rule with the Delivery Service Management UI.

API Users may choose to build the site configuration offline.

To configure a CORS Headers rule:

1. Navigate to the Select Rule dialog.

2. In the Select Rule dialog, choose CORS Headers.

3. In the Allow Origin Pattern(s) field, specify the origins (domains, schemes, or ports) from which you want to allow loading resources, or enter the wildcard character (*) to allow all sources.

4. Optionally, enable Return Wildcard "Access-Control-Allow-Origin" to return the Access-Control-Allow-Origin header with the wildcard value rather than with the value from the request origin header.

5. Toggle on the Preflight CORS option and then set any of the following:

   Parameter	Description	Example
   Expose Additional Headers	Determines which headers are exposed in the response and made accessible to the client. This parameter is returned in the Access-Control-Expose-Headers header.	Content-Encoding
   Allow Methods	Indicates the HTTP methods that are permitted for cross-origin requests. This parameter is returned in the Access-Control-Allow-Methods response header.	Get, Options
   Max Age	Sets a TTL for the CORS headers, in seconds. You can use this parameter to reduce traffic to the origin.	3000
   Allow Headers	Specifies the headers allowed to be used in subsequent cross origin requests. If a client uses other headers, the browser will block the request. This parameter is returned in the Access-Control-Allow-Headers header.	X-Custom-Header, Upgrade-Insecure-Requests
   Credentials	Toggle On the Credentials parameter to indicate that the browser should include credentials when making the request. Then select Allow or Deny to determine whether or not the credentials are exposed in the response to the request. These settings are returned in the Access-Control-Allow-Credentials header.	Allow

6. Choose Add Rule.

SVTA Component: MI.CrossoriginPolicy

When you save the configuration version, the MI.CrossoriginPolicy component is added to the configuration JSON.

Example 1:
In this example, the MI.CrossoriginPolicy component is configured to enable cross origin requests for all origins:

{
	"generic-metadata-type": "MI.CrossoriginPolicy",
	"generic-metadata-value": {
		"allow-origin": {
			"allow-list": [
				{
					"pattern": "*"
				}
			],
			"wildcard-return": true
		}
	}
},

Example 2:
In this example, the MI.CrossoriginPolicy component includes additional Preflight CORS parameters:

{
	"generic-metadata-type": "MI.CrossoriginPolicy",
	"generic-metadata-value": {
		"allow-credentials": true,
		"allow-headers": [
			"X-Custom-Header",
            "Upgrade-Insecure-Requests"
		],
		"allow-methods": [
			"GET",
			"PUT",
			"OPTIONS"
		],
		"allow-origin": {
			"allow-list": [
				{
					"pattern": "*"
				}
			],
			"wildcard-return": true
		},
		"expose-headers": [
			"Content-Encoding"
		],
		"max-age": 3000
	}
},