Forum Discussion

Rory_Hewitt_F5_'s avatar
Rory_Hewitt_F5_
Icon for Cirrus rankCirrus
Jul 10, 2015

Adding CORS response headers

Hey all,   There are a number of other older (2013-era) threads about CORS headers, and I want to ask a specific question which has not been asked there:   Can I add a response header using HTTP:...
application delivery
cors
devops
iRules
security
  • Rory_Hewitt_F5_'s avatar
    Rory_Hewitt_F5_
    Oct 08, 2015

    To anyone who comes in afterwards and wants to find a 'final' solution, here's what we ended up with (which functions perfectly, at least for us):

     

    when HTTP_REQUEST priority 200 {
    unset cors_origin -nocomplain
    if { [HTTP::header Origin] ends_with ".example.com" } {
        if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } {
             CORS preflight request - return response immediately
            HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \
                              "Access-Control-Allow-Methods" "POST, GET, OPTIONS" \
                              "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \
                              "Access-Control-Max-Age" "86400"
        } else {
             CORS GET/POST requests - set cors_origin variable
            set cors_origin [HTTP::header "Origin"]
        }
    }
    ...
    ...
    ...
    other irules
    ...
    ...
    ...
}
when HTTP_RESPONSE {
     CORS GET/POST response - check cors_origin variable set in request
    if { [info exists cors_origin] } {
        HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
        HTTP::header insert "Access-Control-Allow-Credentials" "true"
        HTTP::header insert "Vary" "Origin"
    }
}

     

    If you have any comments about this, please do so. And, of course, feel free to use it yourself.

     

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 10, 2015

The solution depends on where you want the traffic to go. If you want it to go to the client, then it's in the response event. To the server then it's in the request event. The HTTP::respond command is a little unique here because it forces a preemptive response to the client from a request event - in other words the server never sees the request. The iTule preemptively sends a response.

 

If you want to send additional data to the client based on something they said in the request, then the best approach is to set a variable in the request and look for that variable in the response event.