Forum Discussion
Rory_Hewitt_F5_
Cirrus
CirrusAdding CORS response headers
Hey all, There are a number of other older (2013-era) threads about CORS headers, and I want to ask a specific question which has not been asked there: Can I add a response header using HTTP:...
To anyone who comes in afterwards and wants to find a 'final' solution, here's what we ended up with (which functions perfectly, at least for us):
when HTTP_REQUEST priority 200 { unset cors_origin -nocomplain if { [HTTP::header Origin] ends_with ".example.com" } { if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } { CORS preflight request - return response immediately HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \ "Access-Control-Allow-Methods" "POST, GET, OPTIONS" \ "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \ "Access-Control-Max-Age" "86400" } else { CORS GET/POST requests - set cors_origin variable set cors_origin [HTTP::header "Origin"] } } ... ... ... other irules ... ... ... } when HTTP_RESPONSE { CORS GET/POST response - check cors_origin variable set in request if { [info exists cors_origin] } { HTTP::header insert "Access-Control-Allow-Origin" $cors_origin HTTP::header insert "Access-Control-Allow-Credentials" "true" HTTP::header insert "Vary" "Origin" } }If you have any comments about this, please do so. And, of course, feel free to use it yourself.
Rory_Hewitt_F5_Cirrus
CirrusTo anyone who comes in afterwards and wants to find a 'final' solution, here's what we ended up with (which functions perfectly, at least for us):
when HTTP_REQUEST priority 200 {
unset cors_origin -nocomplain
if { [HTTP::header Origin] ends_with ".example.com" } {
if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } {
CORS preflight request - return response immediately
HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \
"Access-Control-Allow-Methods" "POST, GET, OPTIONS" \
"Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \
"Access-Control-Max-Age" "86400"
} else {
CORS GET/POST requests - set cors_origin variable
set cors_origin [HTTP::header "Origin"]
}
}
...
...
...
other irules
...
...
...
}
when HTTP_RESPONSE {
CORS GET/POST response - check cors_origin variable set in request
if { [info exists cors_origin] } {
HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
HTTP::header insert "Access-Control-Allow-Credentials" "true"
HTTP::header insert "Vary" "Origin"
}
}
If you have any comments about this, please do so. And, of course, feel free to use it yourself.
Rory_Hewitt_F5_Cirrus
CirrusYou're right. Apologies - I thought I had updated this code to fix that particular buglet. If I can, I'll update it now.