Forum Discussion
houstonrob
Nimbostratus
NimbostratusCORS iRule Problem
I'm having a lot of trouble setting CORS headers and I'm hoping someone with more familiarity can help me out. This is my first time working with CORS, in fact until a few days ago I had never even heard of it. After some reading, my understanding is that CORS is a way to prevent a webpage from referencing another webpage.
So I have a page, we'll call it siteA, that gets some dynamic data from another webpage, siteB (both are internal pages) and my understanding is that siteB will not talk to siteA unless siteA presents a CORS header with a value of siteA.domain.com; is this even the correct interpretation of how this is supposed to work?
DevCentral keeps marking as spam so I might end up posting a partial explanation
houstonrobSiteA and siteB are behind the same VIP, I just use an iRule to determine which pool gets hit based on the URL and they both get authenticated by APM.
I wrote this based on my understanding of CORS, but when I look at the traffic in fiddler, I never see a CORS header. Anyone who's done this know where I might be going wrong or if I'm completely misunderstanding how CORS is supposed to work?
I've read a few other posts on here related to CORS, but the solutions didn't seem to work for me.
Any help is appreciated!
- houstonrob
This board would not let me post this as one message, kept saying its spam. Here's the iRule
when HTTP_REQUEST { set Origin [HTTP::header Origin] if { [HTTP::header exists Origin] } { log local0. "We found an origin header:[HTTP::header Origin]" if { [HTTP::header Origin] eq "https://siteA.domain.com" } { log local0. "it did equal siteA $Origin and the method is [HTTP::method]" switch [HTTP::method] { "OPTIONS" { log local0. "hitting the OPTIONS response" HTTP::respond 200 noserver Allow "GET,HEAD,POST,OPTIONS" \ Access-Control-Allow-Origin "[HTTP::header Origin]" \ Access-Control-Allow-Methods "GET,POST" \ Access-Control-Max-Age "86400" \ Access-Control-Allow-Credentials "true" return } "GET" { log local0. "method is get setting the Origin variable with [HTTP::header Origin]" set Origin [HTTP::header Origin] } "POST" { log local0. "method is get setting the Origin variable with [HTTP::header Origin]" set Origin [HTTP::header Origin] } } } else { log local0. "The origin header did not match siteA $Origin" if {[HTTP::method] eq "OPTIONS"} { log local0. "Wasnt siteA and method was options" HTTP::respond 200 noserver Allow "GET,POST,HEAD,OPTIONS" return } } } } when HTTP_RESPONSE { log local0. "The variable origin has a value of $Origin" if {$Origin ne ""} { log local0. "Adding in an origin header $Origin" HTTP::header insert "Access-Control-Allow-Origin" $Origin HTTP::header insert "Access-Control-Allow-Methods" "GET,POST" HTTP::header insert "Access-Control-Max-Age" "86400" HTTP::header insert "Allow" "GET,HEAD,POST,OPTIONS" } log local0. "inserting Vary and Origin" HTTP::header insert "Vary" "Origin" } - houstonrob
It looks like my problem is with the response, the log shows a ton of "The variable has a value of" messages with nothing for the $Origin value; I'm pretty sure this should have a value. It looks like I never get a log message saying "Adding in an origin header $Origin"; does anyone see anything that might be wrong with how I'm doing this?
- Harsha_Potharaj
Hello,
Use
in the HTTP_REQUEST. And let me know what is the error so that we can see whether a data group is required.Access-Control-Allow-Headers "Origin, Content-Type, Accept, Xx, Yy, Zz, etc" \-Harsha.