About CORS Request Workflows

Overview of Cross-Origin Resource Sharing (CORS) request workflows.

Simple CORS Request Workflow

  1. The Request is identified as a CORS Request by the presence of the Origin Request Header.
  2. If necessary (for example, cache expiry), the Cloud Gate CORS settings are downloaded from Oracle Identity Cloud Service.
  3. Cloud Gate processes the request - either rejecting the request or allowing it through to the upstream application server.
  4. Before a response is returned, Cloud Gate enforces CORS as defined by the Cloud Gate CORS settings.
    1. Cloud Gate always ensures that the Vary Response Header is part of the Response - and contains the "Origin" Header. This occurs even for non-CORS Requests.
    2. If cloudGateCorsEnabled is false, processing stops here. The Response is returned as-is.
    3. Cloud Gate verifies that the Origin is allowed - using the configured list of Allowed Origins.

      If the Origin isn't allowed, all supported CORS Response Headers are stripped from the Response and processing ends.

    4. The Access-Control-Allow-Origin Response Header is added and configured to the value of the Origin Request Header.
    5. The Access-Control-Allow-Credentials Response Header is added and configured to true.
    6. The Access-Control-Expose-Headers is configured to the intersection between the cloudGateCorsExposedHeaders value, and the list of Headers being returned in the Response.
    7. The Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Max-Age Response Headers are removed from the Response.
  5. Cloud Gate returns its Response.

Note:

Cloud Gate overwrites the Access-Control-Allow-Origin and Access-Control-Allow-Credentials Response Headers if set by the upstream application server.

Preflight CORS Request Workflow

  1. The Request is identified as a CORS Request by the presence of the Origin Request Header.
  2. If necessary (for example, cache expiry), the Cloud Gate CORS settings are downloaded from Oracle Identity Cloud Service.
  3. The Request is identified as a Preflight CORS Request by the OPTIONS Method and the Access-Control-Request-Method Request Header - in addition to the Origin Request Header.
  4. If cloudGateCorsEnabled is true, the Request is allowed to go through to the upstream application server - to allow applications to implement CORS.

    If cloudGateCorsEnabled is false, the old isCorsAllowed Web Tier Policy setting is still honored - just later in the request processing.

  5. Before the response is returned from Cloud Gate, CORS is enforced as defined by the Cloud Gate CORS settings.
    1. Cloud Gate always ensures that the Vary Response Header is part of the Response - and contains the "Origin" Header. This occurs even for non-CORS Requests.
    2. If cloudGateCorsEnabled is false, processing stops here. The Response is returned as-is.
    3. Cloud Gate verifies that the Origin is allowed - using the configured list of Allowed Origins.

      If the Origin isn't allowed, all supported CORS Response Headers are stripped from the Response and processing ends.

    4. The Access-Control-Allow-Origin Response Header is added and configured to the value of the Origin Request Header.
    5. The Access-Control-Allow-Credentials Response Header is added and configured to true.
    6. If the upstream application server didn't add the Access-Control-Allow-Methods Response Header, Cloud Gate constructs its value as follows:
      • If the Allow Response Header is included in the Response, Cloud Gate uses its value.
      • If the Access-Control-Request-Method Request Header is found in the Request, Cloud Gate uses its value.
    7. If the upstream application server didn't add the Access-Control-Allow-Headers Response Header, Cloud Gate uses the value of the Access-Control-Request-Headers Request Header in the Request if it is present.
    8. If cloudGateCorsMaxAge is configured to a value greater than zero, the Access-Control-Max-Age Response Header is added and configured to the max age value. If the cloudGateCorsMaxAge value is zero or less, no action is taken for the Access-Control-Max-Age Response Header.
    9. The Access-Control-Expose-Headers Response Header is removed. It doesn't apply to Preflight Responses.
  6. Cloud Gate returns its Response.