Working with CORS
Cross-Origin Resource Sharing (CORS) is a header-based protocol that allows JavaScript to make requests on your behalf to access resources in another domain. Configure Cloud Gate so that it enables CORS and enforces CORS settings for Cloud Gate running in App Gateway.
CORS helps to prevent rogue JavaScript (planted in a site by attackers, for example, by using advertisements) from making AJAX requests on your behalf. Fraudulent AJAX requests could withdraw money from your bank or make purchases in your name at an online shopping site. These requests could succeed if you currently have an active session with those sites. CORS stipulates that if a server doesn't respond with the correct set of Response Headers, the browser doesn't allow the JavaScript to see (or access) the response.
- domain - for example,
site1.oraclecloud.com
callsoracle.com
- subdomain - for example,
site1.oraclecloud.com
callssite7.oraclecloud.com
- port - for example,
site1.oraclecloud.com
callssite1.oraclecloud.com:3030
- protocol - for example,
https://site1.oraclecloud.com
callshttp://site1.oraclecloud.com
A CORS Request comes in two forms: a Simple CORS Request or a Preflight CORS Request.
Simple CORS Request
- The method is one of the following:
GET
POST
HEAD
- The allowed HTTP Headers that can be manually added to the Simple CORS Request are:
Accept
Accept-Language
Content-Language
Content-Type
DPR
Downlink
Save-Data
Viewport-Width
Width
- The
Content-Type
, if set, must be:application/x-www-form-urlencoded
multipart/form-data
text/plain
Preflight CORS Request
If the JavaScript request doesn't meet the characteristics of a Simple CORS Request, then a Preflight CORS Request is sent to the resource located in the other domain.
The Preflight CORS Request tests whether the actual request can be sent to that resource by including specific HTTP headers in the request containing the data that resulted in the preflight request flow being triggered. In other words, if the JavaScript HTTP Request specified some method/headers in the HTTP Request that required a Preflight CORS Request, then the Preflight CORS Request queries the resource for those method/headers to see whether the resource accepts such a cross-domain request.
Cloud Gate CORS Configuration Properties and Attributes
CORS Property | Description |
---|---|
cloudGateCorsEnabled |
Boolean property to turn on Cloud Gate CORS support. This setting must be configured to:
The default is
false .
Note: ConfigurecloudGateCorsAllowedOrigins at the same time. If this is property is left empty, all CORS Requests fail.
|
cloudGateCorsAllowedOrigins |
The property is a String Array that contains the list of allowed CORS Origins. The default is an empty array. Every CORS Request specifies its source or origin in the Origin Request Header. The value of the Origin Header is matched to this list. If the Origin is matched, Cloud Gate adds the appropriate CORS Headers to its response. If the Origin isn't matched, Cloud Gate doesn't return any CORS Response Headers - causing the response to be rejected by the browser.
Allowed CORS values in the entry template:
Examples:
|
cloudGateCorsAllowNullOrigin |
Boolean property to support scenarios where the browser sends a "null" Origin. This setting must be configured to: The default is A "null" Origin is sent if the CORS Request is coming from a file on a user's computer or if a server redirects to another server in response to a CORS Request. The browser passes a "null" Origin when it considers the Origin "tainted". To increase security, by default, "null" Origins aren't allowed. Some "null" Origins are valid. Applications that leverage the Oracle Identity Cloud Service OpenID Connect (OIDC) Browser Flow Login will see "null" Origins sent to their Cloud Gate node(s). When Cloud Gate redirects to the Oracle Identity Cloud Service authorize endpoint to start the OIDC Browser Login and when Oracle Identity Cloud Service redirects the request back to Cloud Gate, the Origin will be "null". |
cloudGateCorsMaxAge |
An integer that specifies the number of seconds the client (browser) can cache a Preflight CORS Response. |
cloudGateCorsExposedHeaders |
The property is a String Array that lists the Response Headers that can be added to the The default is an empty array. |