Forum Discussion
Rory_Hewitt_F5_
Cirrus
CirrusAdding CORS response headers
Hey all, There are a number of other older (2013-era) threads about CORS headers, and I want to ask a specific question which has not been asked there: Can I add a response header using HTTP:...
To anyone who comes in afterwards and wants to find a 'final' solution, here's what we ended up with (which functions perfectly, at least for us):
when HTTP_REQUEST priority 200 { unset cors_origin -nocomplain if { [HTTP::header Origin] ends_with ".example.com" } { if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } { CORS preflight request - return response immediately HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \ "Access-Control-Allow-Methods" "POST, GET, OPTIONS" \ "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \ "Access-Control-Max-Age" "86400" } else { CORS GET/POST requests - set cors_origin variable set cors_origin [HTTP::header "Origin"] } } ... ... ... other irules ... ... ... } when HTTP_RESPONSE { CORS GET/POST response - check cors_origin variable set in request if { [info exists cors_origin] } { HTTP::header insert "Access-Control-Allow-Origin" $cors_origin HTTP::header insert "Access-Control-Allow-Credentials" "true" HTTP::header insert "Vary" "Origin" } }If you have any comments about this, please do so. And, of course, feel free to use it yourself.
IheartF5_45022
Nacreous
NacreousAre you sure that there is a request header Access-Control-Request-Headers in the request? Also when you say it's not working is the F5 refusing to save the iRule, or are you getting a TCL error when you execute, or is the client browser not liking the response to the OPTIONS request?
Also as a general comment be careful of intermediate downstream caches for GET requests. If the response is cacheable, and made over HTTP, then you either need to make it not cacheable OR insert "Vary:Origin".
- Rory_Hewitt_F5_I'm having problems even deploying the iRule. To be honest, although I know Tcl from a long time ago, I don't know F5 or how the iRules are combined to make a deployable XML file (or whatever it is). As far as I know, the specific iRule (Tcl file) is being saved, but when multiple iRules are being combined (with assorted other TXT files), something is failing, and the final XML file is missing all the Tcl files. Given that my change is in the first Tcl file and given that it's the only change form the last (working) version, I'm assuming that there is a syntax bug in there somewhere... As far as adding the Vary:Origin header, we've removed that from the caching we're doing (in Akamai). I'm sadly well aware of the concerns about the Vary header...