CORS

Enforce client-site access controls with cross-origin resource sharing (CORS).

For example, you can configure requests that are made on your behalf. At the same time, you can block requests that are made by attacks, such as Javascript code or malware. Consider the following request scenarios that you can configure with CORS.

For more information, see the following resources.

Before you begin

  1. Complete the demo setup to install Gloo Mesh, Istio, and Bookinfo in your cluster.

  2. Create the Gloo Mesh resources for this policy in the management and workload clusters.

    The following files are examples only for testing purposes. Your actual setup might vary. You can use the files as a reference for creating your own tests.

    1. Download the following Gloo Mesh resources:
    2. Apply the files to your management cluster.
      kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-1.yaml --context ${MGMT_CONTEXT}
      kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-2.yaml --context ${MGMT_CONTEXT}
      kubectl apply -f workspace_gloo-mesh_anything.yaml --context ${MGMT_CONTEXT}
      
    1. Download the following Gloo Mesh resources:
    2. Apply the files to your workload cluster.
      kubectl apply -f route-table_bookinfo_www-example-com.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f virtual-gateway_bookinfo_north-south-gw.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f workspace-settings_bookinfo_anything.yaml --context ${REMOTE_CONTEXT1}
      

Configure CORS policies

You can apply a CORS policy at the route level. For more information, see Applying policies.

Review the following sample configuration files.

apiVersion: security.policy.gloo.solo.io/v2
kind: CORSPolicy
metadata:
  name: simple-cors
  namespace: bookinfo
  clusterName: cluster-1
spec:
  applyToRoutes:
  - route:
      labels:
        route: ratings
  config:
    maxAge: 1m
    allowCredentials: true
    allowHeaders:
    - foo
    - bar
    allowMethods:
    - GET
    allowOrigins:
    - exact: http://istio.io  

Verify CORS policies

  1. Apply the example CORS policy in the cluster with the Bookinfo workspace in your example setup.

    kubectl apply --context ${REMOTE_CONTEXT1} -f FILE.YAML
    
  2. Send a request to the ratings app through the ingress gateway that the route table is attached to.

    curl -i -X OPTIONS -H "Host: eu.bookinfo.com" \
      -H "Origin: http://istio.io" \
      -H "Access-Control-Request-Method: GET" \
      ${INGRESS_GW_IP}/ratings/1
    
  3. Send a request to the reviews app from the product page app directly to test east-west traffic.

    kubectl exec $(kubectl get pod -l app=productpage  -A  -o jsonpath='{.items[0].metadata.name}') --namespace=bookinfo -c productpage  -- curl -sS reviews:9080/reviews/v1 -v -H "Host: eu.bookinfo.com" -H "Origin: http://istio.io" \
      -H "Access-Control-Request-Method: GET"
    
  4. Review the responses to verify your CORS policy. Depending on how you set up the policy, you might still expect to get a 200 response, but certain access control headers are missing, which let you know that the CORS is rejected.

    • If CORS is enabled, you see an Access-Control-Allow-Origin header in the response.
    • If CORS is disabled, you do not see any Access-Control-* headers in the response.
    • If the preflight request is successful, the response includes the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers. If the request was not successful, these headers are missing.

    Example response:

    HTTP/1.1 200 OK 
    access-control-allow-origin: http://istio.io 
    access-control-allow-credentials: true 
    access-control-allow-methods: GET 
    access-control-allow-headers: foo,bar 
    access-control-max-age: 60 
    date: Tue, 02 Feb 2022 22:29:04 GMT 
    server: istio-envoy 
    content-length: 0