CORS

Understanding CORS

Cross-Origin Resource Sharing (CORS) is a method of enforcing client-side access controls on resources by specifying external domains that are able to access certain or all routes of your domain. Browsers use the presence of HTTP headers to determine if a response from a different origin is allowed.

It is a mechanism which aims to allow requests made on behalf of you and at the same time block requests made by rogue JS. As an example, it is triggered whenever scenarios like the ones below occur:

For more details, see this article.

Where to Use It

In order to allow your VirtualService to work with CORS, you need to add a new set of configuration options in the VirtualHost part of your VirtualService

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: corsexample
  namespace: gloo-system
spec:
  displayName: corsexample
  virtualHost:
    options:
      cors:
        (...)
    domains:
    - '*'
Some apps, such as `httpbin`, have built-in CORS policies that allow all origins. These policies take precedence over CORS policies that you might configured in Gloo Edge.

Available Fields

The following fields are available when specifying CORS on your VirtualService:

Field Type Description Default
allowOrigin []string Specifies the origins that will be allowed to make CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.
allowOriginRegex []string Specifies regex patterns that match origins that will be allowed to make CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.
allowMethods []string Specifies the content for the access-control-allow-methods header.
allowHeaders []string Specifies the content for the access-control-allow-headers header.
exposeHeaders []string Specifies the content for the access-control-expose-headers header.
maxAge string Specifies the content for the access-control-max-age header.
allowCredentials bool Specifies whether the resource allows credentials.

Regex Grammar

Note that Gloo Edge uses ECMAScript regex grammar.

For example, in order to match all subdomains:

Example

In the example below, the virtual service, through CORS parameters, will inform your browser that it should also allow GET and POST calls from services located on https://*.gloo.dev (or https://solo.io). This could allow you to host scripts or other needed resources on the 'https://*.gloo.dev' (or https://solo.io), even if your application is not being server from that location.

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: corsexample
  namespace: gloo-system
spec:
  displayName: corsexample
  virtualHost:
    options:
      cors:
        allowCredentials: true
        allowHeaders:
        - origin
        allowMethods:
        - GET
        - POST
        allowOrigin:
        # The scheme portion of the URL is required
        - 'https://solo.io'
        allowOriginRegex:
        - 'https://[a-zA-Z0-9]*.gloo.dev'
        exposeHeaders:
        - origin
        maxAge: 1d
    domains:
    - '*'