Cross-Origin Resource Sharing (CORS) is a method of enforcing client-side access controls on resources by specifying external domains that are able to access certain or all routes of your domain. Browsers use the presence of HTTP headers to determine if a response from a different origin is allowed.
It is a mechanism which aims to allow requests made on behalf of you and at the same time block requests made by rogue JS. As an example, it is triggered whenever scenarios like the ones below occur:
- a different domain (eg. site at example.com calls api.com)
- a different sub domain (eg. site at example.com calls api.example.com)
- a different port (eg. site at example.com calls example.com:3001)
- a different protocol (eg. site at
For more details, see this article.
Where to Use It
In order to allow your
VirtualService to work with CORS, you need to add a new set of configuration options in
VirtualHost part of your
apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: name: corsexample namespace: gloo-system spec: displayName: corsexample virtualHost: options: cors: (...) domains: - '*'
The following fields are available when specifying CORS on your
||Specifies the origins that will be allowed to make CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.|
||Specifies regex patterns that match origins that will be allowed to make CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.|
||Specifies the content for the access-control-allow-methods header.|
||Specifies the content for the access-control-allow-headers header.|
||Specifies the content for the access-control-expose-headers header.|
||Specifies the content for the access-control-max-age header.|
||Specifies whether the resource allows credentials.|
Note that Gloo Edge uses ECMAScript regex grammar.
For example, in order to match all subdomains:
- Do not use:
- Instead, use:
In the example below, the virtual service, through CORS parameters, will inform your browser that it should also allow
POST calls from services located on
https://solo.io). This could allow you to host scripts or
other needed resources on the
https://solo.io), even if your application is not being server from that location.
apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: name: corsexample namespace: gloo-system spec: displayName: corsexample virtualHost: options: cors: allowCredentials: true allowHeaders: - origin allowMethods: - GET - POST allowOrigin: # The scheme portion of the URL is required - 'https://solo.io' allowOriginRegex: - 'https://[a-zA-Z0-9]*.gloo.dev' exposeHeaders: - origin maxAge: 1d domains: - '*'