About CORS Request Workflows
Overview of Cross-Origin Resource Sharing (CORS) request workflows.
Simple CORS Request Workflow
- The Request is identified as a CORS Request by the presence of the Origin Request Header.
- If necessary (for example, cache expiry), the Cloud Gate CORS settings are downloaded from Oracle Identity Cloud Service.
- Cloud Gate processes the request - either rejecting the request or allowing it through to the upstream application server.
- Before a response is returned, Cloud Gate enforces CORS as defined by the Cloud Gate CORS settings.
- Cloud Gate always ensures that the Vary Response Header is part of the Response - and contains the "Origin" Header. This occurs even for non-CORS Requests.
- If
cloudGateCorsEnabled
isfalse
, processing stops here. The Response is returned as-is. - Cloud Gate verifies that the Origin is allowed - using the configured list of Allowed Origins.
If the Origin isn't allowed, all supported CORS Response Headers are stripped from the Response and processing ends.
- The
Access-Control-Allow-Origin
Response Header is added and configured to the value of the Origin Request Header. - The
Access-Control-Allow-Credentials
Response Header is added and configured totrue
. - The
Access-Control-Expose-Headers
is configured to the intersection between thecloudGateCorsExposedHeaders
value, and the list of Headers being returned in the Response. - The
Access-Control-Allow-Methods
,Access-Control-Allow-Headers
, andAccess-Control-Max-Age Response Headers
are removed from the Response.
- Cloud Gate returns its Response.
Note:
Cloud Gate overwrites the Access-Control-Allow-Origin
and Access-Control-Allow-Credentials Response
Headers if set by the upstream application server.
Preflight CORS Request Workflow
- The Request is identified as a CORS Request by the presence of the Origin Request Header.
- If necessary (for example, cache expiry), the Cloud Gate CORS settings are downloaded from Oracle Identity Cloud Service.
- The Request is identified as a Preflight CORS Request by the OPTIONS Method and the
Access-Control-Request-Method
Request Header - in addition to the Origin Request Header. - If
cloudGateCorsEnabled
istrue
, the Request is allowed to go through to the upstream application server - to allow applications to implement CORS.If
cloudGateCorsEnabled
isfalse
, the oldisCorsAllowed
Web Tier Policy setting is still honored - just later in the request processing. - Before the response is returned from Cloud Gate, CORS is enforced as defined by the Cloud Gate CORS settings.
- Cloud Gate always ensures that the Vary Response Header is part of the Response - and contains the "Origin" Header. This occurs even for non-CORS Requests.
- If
cloudGateCorsEnabled
isfalse
, processing stops here. The Response is returned as-is. - Cloud Gate verifies that the Origin is allowed - using the configured list of Allowed Origins.
If the Origin isn't allowed, all supported CORS Response Headers are stripped from the Response and processing ends.
- The
Access-Control-Allow-Origin
Response Header is added and configured to the value of the Origin Request Header. - The
Access-Control-Allow-Credentials
Response Header is added and configured totrue
. - If the upstream application server didn't add the
Access-Control-Allow-Methods
Response Header, Cloud Gate constructs its value as follows:- If the Allow Response Header is included in the Response, Cloud Gate uses its value.
- If the
Access-Control-Request-Method
Request Header is found in the Request, Cloud Gate uses its value.
- If the upstream application server didn't add the
Access-Control-Allow-Headers
Response Header, Cloud Gate uses the value of theAccess-Control-Request-Headers
Request Header in the Request if it is present. - If
cloudGateCorsMaxAge
is configured to a value greater than zero, theAccess-Control-Max-Age
Response Header is added and configured to the max age value. If thecloudGateCorsMaxAge
value is zero or less, no action is taken for theAccess-Control-Max-Age
Response Header. - The
Access-Control-Expose-Headers
Response Header is removed. It doesn't apply to Preflight Responses.
- Cloud Gate returns its Response.