1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Use Cases
  3. Working with CORS

Working with CORS

Cross-Origin Resource Sharing (CORS) is a header-based protocol that allows JavaScript to make requests on your behalf to access resources in another domain. Configure Cloud Gate so that it enables CORS and enforces CORS settings for Cloud Gate running in App Gateway.

CORS helps to prevent rogue JavaScript (planted in a site by attackers, for example, by using advertisements) from making AJAX requests on your behalf. Fraudulent AJAX requests could withdraw money from your bank or make purchases in your name at an online shopping site. These requests could succeed if you currently have an active session with those sites. CORS stipulates that if a server doesn't respond with the correct set of Response Headers, the browser doesn't allow the JavaScript to see (or access) the response.

A CORS request is triggered when JavaScript attempts an HTTP Request to a different:
  • domain - for example, site1.oraclecloud.com calls oracle.com
  • subdomain - for example, site1.oraclecloud.com calls site7.oraclecloud.com
  • port - for example, site1.oraclecloud.com calls site1.oraclecloud.com:3030
  • protocol - for example, https://site1.oraclecloud.com calls http://site1.oraclecloud.com

A CORS Request comes in two forms: a Simple CORS Request or a Preflight CORS Request.

Simple CORS Request

A Simple CORS Request is performed if the JavaScript Request against a resource in another domain has the following characteristics:
  • The method is one of the following:
    • GET
    • POST
    • HEAD
  • The allowed HTTP Headers that can be manually added to the Simple CORS Request are:
    • Accept
    • Accept-Language
    • Content-Language
    • Content-Type
    • DPR
    • Downlink
    • Save-Data
    • Viewport-Width
    • Width
  • The Content-Type, if set, must be:
    • application/x-www-form-urlencoded
    • multipart/form-data
    • text/plain

Preflight CORS Request

If the JavaScript request doesn't meet the characteristics of a Simple CORS Request, then a Preflight CORS Request is sent to the resource located in the other domain.

The Preflight CORS Request tests whether the actual request can be sent to that resource by including specific HTTP headers in the request containing the data that resulted in the preflight request flow being triggered. In other words, if the JavaScript HTTP Request specified some method/headers in the HTTP Request that required a Preflight CORS Request, then the Preflight CORS Request queries the resource for those method/headers to see whether the resource accepts such a cross-domain request.

Cloud Gate CORS Configuration Properties and Attributes

The following table describes the Cloud Gate CORS configuration properties and attributes.
CORS Property Description
cloudGateCorsEnabled

Boolean property to turn on Cloud Gate CORS support. This setting must be configured to: true.

The default is false.

Note:

Configure cloudGateCorsAllowedOrigins at the same time. If this is property is left empty, all CORS Requests fail.
cloudGateCorsAllowedOrigins

The property is a String Array that contains the list of allowed CORS Origins.

The default is an empty array.

Every CORS Request specifies its source or origin in the Origin Request Header. The value of the Origin Header is matched to this list.

If the Origin is matched, Cloud Gate adds the appropriate CORS Headers to its response.

If the Origin isn't matched, Cloud Gate doesn't return any CORS Response Headers - causing the response to be rejected by the browser.

Allowed CORS values in the entry template:
  • Entry: * | <PROTOCOL>"://"<HOST><PORT>
  • <PROTOCOL>: * | http | https
  • <HOST>: [<DOMAIN>.]<DOMAIN>
  • <DOMAIN>: < any alphanumerical character, * and - >
    • A <DOMAIN> can't start or end with a '-'.
    • Any <DOMAIN> can be a wild card. The wild card must include the entire domain. For example, www.*.com is valid but www.*racle.com isn't.
    • Use https://tools.ietf.org/html/rfc1123 as a reference
  • <PORT>: <EMPTY> | ":" <PORT_VALUE>
  • <PORT_VALUE>: * | <numerical characters>. <PORT_VALUE> must be in the range 1 - 65535.
Examples:
  • Match everything: *
  • Exact match: https://www.acme.com, https://www.acme.com:4443
  • Exact host/protocol, any port: https://www.google.com:*
  • Exact host/port, any protocol (HTTP or HTTPS): *://www.acme.com, *://www.acme.com:8080
  • Subdomain, exact protocol, no port: https://*.oraclecloud.com
  • Any domain, exact protocol, no port: https://*
cloudGateCorsAllowNullOrigin

Boolean property to support scenarios where the browser sends a "null" Origin. This setting must be configured to: true.

The default is false.

A "null" Origin is sent if the CORS Request is coming from a file on a user's computer or if a server redirects to another server in response to a CORS Request. The browser passes a "null" Origin when it considers the Origin "tainted". To increase security, by default, "null" Origins aren't allowed.

Some "null" Origins are valid. Applications that leverage the Oracle Identity Cloud Service OpenID Connect (OIDC) Browser Flow Login will see "null" Origins sent to their Cloud Gate node(s). When Cloud Gate redirects to the Oracle Identity Cloud Service authorize endpoint to start the OIDC Browser Login and when Oracle Identity Cloud Service redirects the request back to Cloud Gate, the Origin will be "null".
cloudGateCorsMaxAge

An integer that specifies the number of seconds the client (browser) can cache a Preflight CORS Response.
cloudGateCorsExposedHeaders

The property is a String Array that lists the Response Headers that can be added to the Access-Control-Expose-Headers Response Header.

The default is an empty array.