CORS
Enforce client-site access controls with cross-origin resource sharing (CORS).For example, you can configure requests that are made on your behalf. At the same time, you can block requests that are made by attacks, such as Javascript code or malware. Consider the following request scenarios that you can configure with CORS.
- A different domain, such as
example.comsite callsapi.com - A different subdomain, such as
example.comcallsapi.example.com - A different port, such as
example.comcallsexample.com:3001 - A different protocol, such as
https://example.comcallshttp://example.com
For more information, see the following resources.
Before you begin
-
Complete the demo setup to install Gloo Mesh, Istio, and Bookinfo in your cluster.
-
Create the Gloo Mesh resources for this policy in the management and workload clusters.
The following files are examples only for testing purposes. Your actual setup might vary. You can use the files as a reference for creating your own tests.
- Download the following Gloo Mesh resources:
- Apply the files to your management cluster.
kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-1.yaml --context ${MGMT_CONTEXT} kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-2.yaml --context ${MGMT_CONTEXT} kubectl apply -f workspace_gloo-mesh_anything.yaml --context ${MGMT_CONTEXT}
- Download the following Gloo Mesh resources:
- Apply the files to your workload cluster.
kubectl apply -f route-table_bookinfo_www-example-com.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f virtual-gateway_bookinfo_north-south-gw.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f workspace-settings_bookinfo_anything.yaml --context ${REMOTE_CONTEXT1}
Configure CORS policies
You can apply a CORS policy at the route level. For more information, see Applying policies.
Review the following sample configuration files.
apiVersion: security.policy.gloo.solo.io/v2
kind: CORSPolicy
metadata:
name: simple-cors
namespace: bookinfo
clusterName: cluster-1
spec:
applyToRoutes:
- route:
labels:
route: ratings
config:
maxAge: 1m
allowCredentials: true
allowHeaders:
- foo
- bar
allowMethods:
- GET
allowOrigins:
- exact: http://istio.io
Verify CORS policies
-
Apply the example CORS policy in the cluster with the Bookinfo workspace in your example setup.
kubectl apply --context ${REMOTE_CONTEXT1} -f FILE.YAML -
Send a request to the ratings app through the ingress gateway that the route table is attached to.
curl -i -X OPTIONS -H "Host: eu.bookinfo.com" \ -H "Origin: http://istio.io" \ -H "Access-Control-Request-Method: GET" \ ${INGRESS_GW_IP}/ratings/1 -
Send a request to the reviews app from the product page app directly to test east-west traffic.
kubectl exec $(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --namespace=bookinfo -c productpage -- curl -sS reviews:9080/reviews/v1 -v -H "Host: eu.bookinfo.com" -H "Origin: http://istio.io" \ -H "Access-Control-Request-Method: GET" -
Review the responses to verify your CORS policy. Depending on how you set up the policy, you might still expect to get a 200 response, but certain access control headers are missing, which let you know that the CORS is rejected.
- If CORS is enabled, you see an
Access-Control-Allow-Originheader in the response. - If CORS is disabled, you do not see any
Access-Control-*headers in the response. - If the preflight request is successful, the response includes the
Access-Control-Allow-Origin,Access-Control-Allow-Methods, andAccess-Control-Allow-Headers. If the request was not successful, these headers are missing.
Example response:
HTTP/1.1 200 OK access-control-allow-origin: http://istio.io access-control-allow-credentials: true access-control-allow-methods: GET access-control-allow-headers: foo,bar access-control-max-age: 60 date: Tue, 02 Feb 2022 22:29:04 GMT server: istio-envoy content-length: 0 - If CORS is enabled, you see an