Forum Discussion

Cirrus

Jul 10, 2015

Solved

Adding CORS response headers

Hey all,

There are a number of other older (2013-era) threads about CORS headers, and I want to ask a specific question which has not been asked there:

Can I add a response header using HTTP::header insert within an HTTP_REQUEST?

In at least one CORS-related thread (https://devcentral.f5.com/questions/cors-irule-query), this is shown happening. However, in another thread (https://devcentral.f5.com/questions/access-control-allow-origin-on-f5) the answer includes code in the HTTP_REQUEST to set a variable and then in the HTTP_RESPONSE, a check is made on that variable and if it is set, the HTTP::header insert is used.

Basically, I want to include all my CORS-related code in one place. Currently, I am doing basic CORS (adding the ACAO header for GET/POST requests from my domain where the Origin request header is present) using my CDN (Akamai) and I have this iRule for CORS preflight responses:

when HTTP_REQUEST {
    if { ( [HTTP::method] equals "OPTIONS" ) and
         ( [HTTP::host] contains "mysite.com"] ) and
         ( [HTTP::header] exists "Access-Control-Request-Method") } {
            HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" \
                              Access-Control-Allow-Methods "POST, GET, OPTIONS" \
                              Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" \
                              Access-Control-Max-Age "86400"
            return
    }
}

However, for simplification, I want to put all the CORS stuff (basic and preflight) in the iRule. So my question is, will this work:

when HTTP_REQUEST {
     CORS preflight OPTIONS requests
    if { ( [HTTP::method] equals "OPTIONS" ) and
         ( [HTTP::host] contains "mysite.com"] ) and
         ( [HTTP::header] exists "Access-Control-Request-Method") } {
            HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" \
                              Access-Control-Allow-Methods "POST, GET, OPTIONS" \
                              Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" \
                              Access-Control-Max-Age "86400"
            return
    }
     CORS GET/POST requests
    if { ( [HTTP::method] equals "GET" or [HTTP::method] equals "POST") and
         ( [HTTP::host] contains "mysite.com"] ) and
         ( [HTTP::header] exists "Origin") } {
            HTTP::header insert Access-Control-Allow-Origin "[HTTP::header Origin]"
    }
}

or do I need this:

when HTTP_REQUEST {
     CORS preflight OPTIONS requests
    if { ( [HTTP::method] equals "OPTIONS" ) and
         ( [HTTP::host] contains "mysite.com"] ) and
         ( [HTTP::header] exists "Access-Control-Request-Method") } {
            HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" \
                              Access-Control-Allow-Methods "POST, GET, OPTIONS" \
                              Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" \
                              Access-Control-Max-Age "86400"
            return
    }
     CORS GET/POST requests
    if { ( [HTTP::host] contains "mysite.com"] ) and
         ( [HTTP::header] exists "Origin") } {
            set cors_origin [HTTP::header Origin]
    }
}
when HTTP_RESPONSE {
     CORS GET/POST response - check variable set in request
    if { [info exists cors_origin] } {
            HTTP::header insert Access-Control-Allow-Origin $cors_origin
    }
}

Does this make sense, or am I getting too complex?

To anyone who comes in afterwards and wants to find a 'final' solution, here's what we ended up with (which functions perfectly, at least for us):

when HTTP_REQUEST priority 200 {
    unset cors_origin -nocomplain
    if { [HTTP::header Origin] ends_with ".example.com" } {
        if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } {
             CORS preflight request - return response immediately
            HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \
                              "Access-Control-Allow-Methods" "POST, GET, OPTIONS" \
                              "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \
                              "Access-Control-Max-Age" "86400"
        } else {
             CORS GET/POST requests - set cors_origin variable
            set cors_origin [HTTP::header "Origin"]
        }
    }
    ...
    ...
    ...
    other irules
    ...
    ...
    ...
}
when HTTP_RESPONSE {
     CORS GET/POST response - check cors_origin variable set in request
    if { [info exists cors_origin] } {
        HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
        HTTP::header insert "Access-Control-Allow-Credentials" "true"
        HTTP::header insert "Vary" "Origin"
    }
}

If you have any comments about this, please do so. And, of course, feel free to use it yourself.

13 Replies

Kevin_Stewart
Employee
Jul 10, 2015
The solution depends on where you want the traffic to go. If you want it to go to the client, then it's in the response event. To the server then it's in the request event. The HTTP::respond command is a little unique here because it forces a preemptive response to the client from a request event - in other words the server never sees the request. The iTule preemptively sends a response.

If you want to send additional data to the client based on something they said in the request, then the best approach is to set a variable in the request and look for that variable in the response event.

IheartF5_45022

Nacreous

Jul 27, 2015

Hi,

We have a requirement to restrict CORS requests to domains owned by our company, or by subsidaries/partners. This rule works well for us;-

when HTTP_REQUEST {

    set debug 0
    set Origin ""

     Can be used in prod for debugging on a per-connection basis, using a browser add-on like Firebug to add the headers
    if {[HTTP::header exists "X-tls-debug"]} {
        set debug 1
    }

     log prefix for connection/request tracking. All debug logs will start with [xxxx.yyyy] where xxxx is the connection and yyyy is the request id
    if {$debug} {   
         per request identifier
        set prefix "\[[TCP::client_port].[expr {int (rand() * 100000)}]\] " 
    }

    if {[HTTP::header exists Origin]} {
         This is a cross-origin request
        if {$debug} {log local0. "${prefix} Origin:[HTTP::header Origin]"}
        switch -glob -- [HTTP::header Origin] {
            "*company.com" -
            "*company.com.au" -
            "*partner.com" -
            "*partner2.com.au" {
                 This is  a valid Origin
                switch -- [HTTP::method] {
                    "OPTIONS" {
                        if {$debug} {log local0. "${prefix} Responding to Preflight request"}
                        HTTP::respond 200 noserver  Allow "GET,HEAD,POST,OPTIONS" \
                                                    Access-Control-Allow-Origin "[HTTP::header Origin]" \
                                                    Access-Control-Allow-Methods "GET,POST" \
                                                    Access-Control-Max-Age "86400"
                        return
                    }
                    "GET" -
                    "POST" {
                        if {$debug} {log local0. "${prefix} Origin:[HTTP::header Origin]"}
                         Set variable to add headers to response
                        set Origin [HTTP::header Origin]
                    }
                }
            }
            default {
                 This is a cross-origin request,  however it's not from the correct domain
                if {[HTTP::method] eq "OPTIONS"} {
                    if {$debug} {log local0. "${prefix} Responding to OPTIONS method"}
                    HTTP::respond 200 noserver Allow "GET,POST,HEAD,OPTIONS"
                    return
                }
                 So what if it's not from correct domain,  but is GET/POST - still gonna send a response,  just not add in any CORS headers,  which will make response fail at browser
            }
        }
    }   
}
when HTTP_RESPONSE {

    if {$Origin ne ""} {
         This response needs CORS headers inserted     
       HTTP::header insert "Access-Control-Allow-Origin" $Origin
       HTTP::header insert "Access-Control-Allow-Methods" "GET,POST"
       HTTP::header insert "Access-Control-Max-Age" "86400"
       HTTP::header insert "Allow" "GET,HEAD,POST,OPTIONS"
    }

     Don't forget this - if a request is CORS-enabled,  you ALWAYS need to instruct a cache to Vary a response based on Origin,
     even if this particular request was not a valid cross-origin request. 
    HTTP::header insert "Vary" "Origin"
}

Rory_Hewitt_F5_

Cirrus

Sep 04, 2015

I am now having a separate problem related to a new version of sample code above. Here's the problem fragment:

if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::host] contains "example.com"] ) and ( [HTTP::header] exists "Access-Control-Request-Method") } {
    HTTP::respond 200 "Access-Control-Allow-Origin" "[HTTP::header Origin]" "Access-Control-Allow-Methods" "POST, GET, OPTIONS" "Access-Control-Allow-Headers" "[HTTP::header Access-Control-Request-Headers]" "Access-Control-Max-Age" "86400"        
} elseif { ( [HTTP::host] contains "example.com"] ) and ( [HTTP::header] exists "Origin") } {
     CORS GET/POST requests - set cors_origin variable
    set cors_origin [HTTP::header Origin]
}

As you can see, each of the CORS response header names in the second line is enclosed in double-quotes, so the iRule treats them as strings.

However, when I try to deploy the iRule that contains this fragment, it fails, and I'm not sure why.

Could the problem be this bit:

"Access-Control-Allow-Headers" "[HTTP::header Access-Control-Request-Headers]"

Could Tcl think that Access-Control-Request-Headers is not a string? If so, what's the solution? Can I have a string within a string?

IheartF5_45022
Nacreous
Sep 06, 2015
Just try removing the quotes from all the header names as you did in your original post.
- Rory_Hewitt_F5_
  Cirrus
  Sep 08, 2015
  I tried that - in fact my original version was a semi-direct copy of your answer in https://devcentral.f5.com/s/feed/0D51T00006i7X7cSAE. However, there still seem to be some problems. Are you saying that this should work: if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::host] contains "fds.com"] ) and ( [HTTP::header] exists "Access-Control-Request-Method") } { HTTP::respond 200 Access-Control-Allow-Origin [HTTP::header Origin] \ Access-Control-Allow-Methods "POST, GET, OPTIONS" \ Access-Control-Allow-Headers [HTTP::header Access-Control-Request-Headers] \ Access-Control-Max-Age "86400" } elseif { ( [HTTP::host] contains "fds.com"] ) and ( [HTTP::header] exists "Origin") } { CORS GET/POST requests - set cors_origin variable set cors_origin [HTTP::header "Origin"] } Because it doesn't seem to be doing so for me.
IheartF5_45022
Nacreous
Sep 08, 2015
Are you sure that there is a request header Access-Control-Request-Headers in the request? Also when you say it's not working is the F5 refusing to save the iRule, or are you getting a TCL error when you execute, or is the client browser not liking the response to the OPTIONS request?

Also as a general comment be careful of intermediate downstream caches for GET requests. If the response is cacheable, and made over HTTP, then you either need to make it not cacheable OR insert "Vary:Origin".
- Rory_Hewitt_F5_
  Cirrus
  Sep 08, 2015
  I'm having problems even deploying the iRule. To be honest, although I know Tcl from a long time ago, I don't know F5 or how the iRules are combined to make a deployable XML file (or whatever it is). As far as I know, the specific iRule (Tcl file) is being saved, but when multiple iRules are being combined (with assorted other TXT files), something is failing, and the final XML file is missing all the Tcl files. Given that my change is in the first Tcl file and given that it's the only change form the last (working) version, I'm assuming that there is a syntax bug in there somewhere... As far as adding the Vary:Origin header, we've removed that from the caching we're doing (in Akamai). I'm sadly well aware of the concerns about the Vary header...
IheartF5_45022
Nacreous
Sep 08, 2015
OK I see what you've done - a few syntax issues. Not sure what you are referring to when you talk about XML/TXT files, but I recommend that you get yourself a VE lab license and run a VE instance on your computer to at least syntax check a rule before deploying it.

Note that you must ensure that you do not execute any other commands after your HTTP::respond, and especially if you are combining iRules, it's best practice to add an explicit "return" afterwards.

if { [HTTP::method] eq "OPTIONS" && [HTTP::host] contains "example.com" && [HTTP::header exists "Access-Control-Request-Method"] } { HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" Access-Control-Allow-Methods "POST, GET, OPTIONS" Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" Access-Control-Max-Age "86400" return } elseif { [HTTP::host] contains "example.com" && [HTTP::header exists "Origin"] } { CORS GET/POST requests - set cors_origin variable set cors_origin [HTTP::header Origin] }
- Rory_Hewitt_F5_
  Cirrus
  Sep 09, 2015
  Hmmm. When I compare yours with mine, I see that you're using 'eq' and '&&' rather than 'equals' and 'and', but those function exactly the same, don't they? Also I can see that you're not using all the additional parentheses around each sub-clause, but that SEEMS like a stylistic thing, right? The only DIFFERENCE is that you're not putting the header names in quotes, but you ARE including the entire value for each header in double-quotes. but again, shouldn't my version also work? Isn't this: HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" the same as this: HTTP::respond 200 Access-Control-Allow-Origin [HTTP::header "Origin"] I REALLY appreciate your help, but the team that actually deploys these iRules to our environments won't accept a new version from me, and I guess I'm still not clear on what's actually WRONG with my version - where exactly is my error? The XML file I'm talking about is the BigIpConfiguration file.

Rory_Hewitt_F5_

Cirrus

Oct 08, 2015

To anyone who comes in afterwards and wants to find a 'final' solution, here's what we ended up with (which functions perfectly, at least for us):

when HTTP_REQUEST priority 200 {
    unset cors_origin -nocomplain
    if { [HTTP::header Origin] ends_with ".example.com" } {
        if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } {
             CORS preflight request - return response immediately
            HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \
                              "Access-Control-Allow-Methods" "POST, GET, OPTIONS" \
                              "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \
                              "Access-Control-Max-Age" "86400"
        } else {
             CORS GET/POST requests - set cors_origin variable
            set cors_origin [HTTP::header "Origin"]
        }
    }
    ...
    ...
    ...
    other irules
    ...
    ...
    ...
}
when HTTP_RESPONSE {
     CORS GET/POST response - check cors_origin variable set in request
    if { [info exists cors_origin] } {
        HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
        HTTP::header insert "Access-Control-Allow-Credentials" "true"
        HTTP::header insert "Vary" "Origin"
    }
}

If you have any comments about this, please do so. And, of course, feel free to use it yourself.

Rory_Hewitt_F5_
Cirrus
Apr 17, 2018
You're right. Apologies - I thought I had updated this code to fix that particular buglet. If I can, I'll update it now.
Rory_Hewitt_F5_
Cirrus
Apr 17, 2018
Check out https://devcentral.f5.com/s/articles/cors-implementation, which contains the 'correct' implementation.
¬†

Rory_Hewitt_F5_
Cirrus
Oct 08, 2015
Note: I have added our eventual solution at the bottom, in case anyone else has the same issues in the future.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

when HTTP_REQUEST {\n if { ( [HTTP::method] equals \"OPTIONS\" ) and\n ( [HTTP::host] contains \"mysite.com\"] ) and\n ( [HTTP::header] exists \"Access-Control-Request-Method\") } {\n HTTP::respond 200 Access-Control-Allow-Origin \"[HTTP::header Origin]\" \\\n Access-Control-Allow-Methods \"POST, GET, OPTIONS\" \\\n Access-Control-Allow-Headers \"[HTTP::header Access-Control-Request-Headers]\" \\\n Access-Control-Max-Age \"86400\"\n return\n }\n}

when HTTP_REQUEST {\n CORS preflight OPTIONS requests\n if { ( [HTTP::method] equals \"OPTIONS\" ) and\n ( [HTTP::host] contains \"mysite.com\"] ) and\n ( [HTTP::header] exists \"Access-Control-Request-Method\") } {\n HTTP::respond 200 Access-Control-Allow-Origin \"[HTTP::header Origin]\" \\\n Access-Control-Allow-Methods \"POST, GET, OPTIONS\" \\\n Access-Control-Allow-Headers \"[HTTP::header Access-Control-Request-Headers]\" \\\n Access-Control-Max-Age \"86400\"\n return\n }\n CORS GET/POST requests\n if { ( [HTTP::method] equals \"GET\" or [HTTP::method] equals \"POST\") and\n ( [HTTP::host] contains \"mysite.com\"] ) and\n ( [HTTP::header] exists \"Origin\") } {\n HTTP::header insert Access-Control-Allow-Origin \"[HTTP::header Origin]\"\n }\n}

when HTTP_REQUEST {\n CORS preflight OPTIONS requests\n if { ( [HTTP::method] equals \"OPTIONS\" ) and\n ( [HTTP::host] contains \"mysite.com\"] ) and\n ( [HTTP::header] exists \"Access-Control-Request-Method\") } {\n HTTP::respond 200 Access-Control-Allow-Origin \"[HTTP::header Origin]\" \\\n Access-Control-Allow-Methods \"POST, GET, OPTIONS\" \\\n Access-Control-Allow-Headers \"[HTTP::header Access-Control-Request-Headers]\" \\\n Access-Control-Max-Age \"86400\"\n return\n }\n CORS GET/POST requests\n if { ( [HTTP::host] contains \"mysite.com\"] ) and\n ( [HTTP::header] exists \"Origin\") } {\n set cors_origin [HTTP::header Origin]\n }\n}\nwhen HTTP_RESPONSE {\n CORS GET/POST response - check variable set in request\n if { [info exists cors_origin] } {\n HTTP::header insert Access-Control-Allow-Origin $cors_origin\n }\n}

when HTTP_REQUEST {\n\n set debug 0\n set Origin \"\"\n\n Can be used in prod for debugging on a per-connection basis, using a browser add-on like Firebug to add the headers\n if {[HTTP::header exists \"X-tls-debug\"]} {\n set debug 1\n }\n\n log prefix for connection/request tracking. All debug logs will start with [xxxx.yyyy] where xxxx is the connection and yyyy is the request id\n if {$debug} { \n per request identifier\n set prefix \"\\[[TCP::client_port].[expr {int (rand() * 100000)}]\\] \" \n }\n\n if {[HTTP::header exists Origin]} {\n This is a cross-origin request\n if {$debug} {log local0. \"${prefix} Origin:[HTTP::header Origin]\"}\n switch -glob -- [HTTP::header Origin] {\n \"*company.com\" -\n \"*company.com.au\" -\n \"*partner.com\" -\n \"*partner2.com.au\" {\n This is a valid Origin\n switch -- [HTTP::method] {\n \"OPTIONS\" {\n if {$debug} {log local0. \"${prefix} Responding to Preflight request\"}\n HTTP::respond 200 noserver Allow \"GET,HEAD,POST,OPTIONS\" \\\n Access-Control-Allow-Origin \"[HTTP::header Origin]\" \\\n Access-Control-Allow-Methods \"GET,POST\" \\\n Access-Control-Max-Age \"86400\"\n return\n }\n \"GET\" -\n \"POST\" {\n if {$debug} {log local0. \"${prefix} Origin:[HTTP::header Origin]\"}\n Set variable to add headers to response\n set Origin [HTTP::header Origin]\n }\n }\n }\n default {\n This is a cross-origin request, however it's not from the correct domain\n if {[HTTP::method] eq \"OPTIONS\"} {\n if {$debug} {log local0. \"${prefix} Responding to OPTIONS method\"}\n HTTP::respond 200 noserver Allow \"GET,POST,HEAD,OPTIONS\"\n return\n }\n So what if it's not from correct domain, but is GET/POST - still gonna send a response, just not add in any CORS headers, which will make response fail at browser\n }\n }\n } \n}\nwhen HTTP_RESPONSE {\n\n if {$Origin ne \"\"} {\n This response needs CORS headers inserted \n HTTP::header insert \"Access-Control-Allow-Origin\" $Origin\n HTTP::header insert \"Access-Control-Allow-Methods\" \"GET,POST\"\n HTTP::header insert \"Access-Control-Max-Age\" \"86400\"\n HTTP::header insert \"Allow\" \"GET,HEAD,POST,OPTIONS\"\n }\n\n Don't forget this - if a request is CORS-enabled, you ALWAYS need to instruct a cache to Vary a response based on Origin,\n even if this particular request was not a valid cross-origin request. \n HTTP::header insert \"Vary\" \"Origin\"\n}\n

if { ( [HTTP::method] equals \"OPTIONS\" ) and ( [HTTP::host] contains \"example.com\"] ) and ( [HTTP::header] exists \"Access-Control-Request-Method\") } {\n HTTP::respond 200 \"Access-Control-Allow-Origin\" \"[HTTP::header Origin]\" \"Access-Control-Allow-Methods\" \"POST, GET, OPTIONS\" \"Access-Control-Allow-Headers\" \"[HTTP::header Access-Control-Request-Headers]\" \"Access-Control-Max-Age\" \"86400\" \n} elseif { ( [HTTP::host] contains \"example.com\"] ) and ( [HTTP::header] exists \"Origin\") } {\n CORS GET/POST requests - set cors_origin variable\n set cors_origin [HTTP::header Origin]\n}

if { [HTTP::method] eq \"OPTIONS\" && [HTTP::host] contains \"example.com\" && [HTTP::header exists \"Access-Control-Request-Method\"] } {\n HTTP::respond 200 Access-Control-Allow-Origin \"[HTTP::header Origin]\" Access-Control-Allow-Methods \"POST, GET, OPTIONS\" Access-Control-Allow-Headers \"[HTTP::header Access-Control-Request-Headers]\" Access-Control-Max-Age \"86400\"\n return\n } elseif { [HTTP::host] contains \"example.com\" && [HTTP::header exists \"Origin\"] } {\n CORS GET/POST requests - set cors_origin variable\n set cors_origin [HTTP::header Origin]\n}\n

when HTTP_REQUEST priority 200 {\n unset cors_origin -nocomplain\n if { [HTTP::header Origin] ends_with \".example.com\" } {\n if { ( [HTTP::method] equals \"OPTIONS\" ) and ( [HTTP::header exists \"Access-Control-Request-Method\"] ) } {\n CORS preflight request - return response immediately\n HTTP::respond 200 \"Access-Control-Allow-Origin\" [HTTP::header \"Origin\"] \\\n \"Access-Control-Allow-Methods\" \"POST, GET, OPTIONS\" \\\n \"Access-Control-Allow-Headers\" [HTTP::header \"Access-Control-Request-Headers\"] \\\n \"Access-Control-Max-Age\" \"86400\"\n } else {\n CORS GET/POST requests - set cors_origin variable\n set cors_origin [HTTP::header \"Origin\"]\n }\n }\n ...\n ...\n ...\n other irules\n ...\n ...\n ...\n}\nwhen HTTP_RESPONSE {\n CORS GET/POST response - check cors_origin variable set in request\n if { [info exists cors_origin] } {\n HTTP::header insert \"Access-Control-Allow-Origin\" $cors_origin\n HTTP::header insert \"Access-Control-Allow-Credentials\" \"true\"\n HTTP::header insert \"Vary\" \"Origin\"\n }\n}\n

Forum Discussion

Adding CORS response headers

13 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

In F5 APM, how to include multiple DNS suffix?

Username is not filled in EdgeClient in the Modern customization

Cert Bundle Manager

Question regarding F5 Viprion Configuration Migration to VE.

Why does SSLO not support ACTIVE-ACTIVE mode deployments？

Related Content

Introduction of Incident Response

Inserting a http header on the response to the client

Adding date and time to ASM response pages

Removing x-frame-options header from response when using APM

Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS