CORS Plug-in
Overview
For security purposes, the browser restricts cross-domain requests from being initiated from the page script. In this case, the page can access only the resources from the current domain. CORS allows the browser to send XMLHttpRequest requests to the server in a different domain. For details about CORS, see Configuring CORS for APIs.
CORS plug-ins provide the extension capabilities of specifying the preflight request header and response header and automatically creating the cross-domain preflight request API for cross-domain access, implementing fast and flexible cross-domain access to APIs.
Restrictions
- In the same API group, all APIs in the same request path must be bound to the same CORS plug-in.
- If CORS is enabled for an API which is bound to a CORS plug-in, the bound plug-in is used.
- If a request path contains an API with the OPTIONS method, none of the APIs in the request path can be bound to the CORS plug-in.
- When Binding a Plug-in to an API, ensure that the request method of the API is allowed by allow_methods.
Parameter Description
|
Parameter |
Description |
|---|---|
|
allow origin |
Access-Control-Allow-Origin response header, which specifies the external domain URIs that are allowed to access the API. Use commas (,) to separate multiple URIs. For requests that do not carry identity credentials, set this parameter to *, indicating that access requests from all domains are allowed. |
|
allow methods |
Access-Control-Allow-Methods response header, which specifies the allowed HTTP request methods. Use commas (,) to separate multiple request methods. |
|
allow headers |
Access-Control-Allow-Headers response header, which specifies the request header fields that can be carried in the XMLHttpRequest request. Use commas (,) to separate request headers. By default, the simple request headers Accept, Accept-Language, Content-Language, and Content-Type (only when the value is application/x-www-form-urlencoded, multipart/form-data, or text/plain) can be carried in the request and do not need to be set in this parameter. |
|
expose headers |
Access-Control-Expose-Headers response header, which specifies the response header fields that can be carried in the XMLHttpRequest response. Use commas (,) to separate multiple response headers. By default, the basic response headers Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma can be carried in the response and do not need to be set in this parameter. |
|
max age |
Access-Control-Max-Age response header, which specifies the validity period of the preflight request. The unit is second. No more preflight requests are needed within the period. |
|
allow credentials |
Access-Control-Allow-Credentials response header, which determines whether the XMLHttpRequest request is allowed to carry cookies.
|
Script Configuration Example
{
"allow_origin": "*",
"allow_methods": "GET,POST,PUT",
"allow_headers": "Accept-Ranges,Cache-Control",
"expose_headers": "X-Request-Id,X-Apig-Latency",
"max_age": 172800,
"allow_credentials": true
}
Last Article: Using Plug-ins
Next Article: Kafka Log Pushing Plug-in
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.