finally compare & enable flag to proceed or stop the flow. if everything good with origin header then split the values and validate the url format (use regexp) to test with predefined expressions. validate header exists & request verb exists with OPTIONS (for CORS its OPTIONS) Use JS policy (use properties to pass kvm cors var) Push the possible cors domains into KVM (comma separated)Ģ. Just be sure to validate that header before inserting that origin in the response.ġ. In the case of AssignMessage, the Header element is a message template, and you can again reference a variable, probably. You could do the comparison logic in a compound Condition statement, or a JS step, as you described. If you are not using Apigee X or hybrid, then you must resort to using AssignMessage and figuring out when and how to attach it, and also you must explicitly perform the logic of comparing the passed-in against your acceptable list (stored where? it depends). properties file).The policy resolves the message template and then does the right thing as described above. So basically it solves the problem you described very nicely - how do I support multiple distinct allowed origins? The text value of the AllowedOrigins element is a message template, which means you can refer to a variable within curly-braces, by which you can dynamically specify the list of allowed origins at runtime (or maybe through a configuration item from a. If it finds a match, it will return in Access-Control-Allowed-Origin, the original, a single value in keeping with the fetch spec. Then, when constructing the response to send to the caller, this policy will compare the actual passed-in Origin with the elements in the list. The configuration looks like this: Īs implied by the AllowOrigins element name, the text within AllowOrigins is a list, you can specify a list of origins that are valid. If you are using Apigee X or hybrid, then you should use the CORS policy. It should contain exactly one value, the Origin request header or * to indicate "any origin". Which means the response header should not contain a list. Indicates whether the response can be shared, via returning the literal value of the ` Origin` request header (which can be ` null`) or ` *` in a response. Please let me know if there is any easier way to solve this. I was thinking of doing a JS callout to check the value of origin against a comma separated list stored in KVM. This kind of options are available in other frameworks where we can configure all the allowed origins and the server will response with appropriate headers. Is there any inbuilt way to configure in Apigee to allow multiple valid origins so that Apigee will send only the valid origin according to the incoming request ? However, browser gives error saying that header contains multiple values. I tried to give comma separated values ( ) inside the allowed origins. I read that CORS helps to add security and is not a recommended to allow all origins since the proxy can be accessed by any website. I have added CORS policy to send below headers to fix CORS issue. I have a set of proxies being consumed by multiple sites.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |