Help Center/ API Gateway/ User Guide/ Plug-ins/ CORS Plug-in
Updated on 2022-09-26 GMT+08:00
View PDF

CORS Plug-in

For security purposes, the browser restricts cross-domain requests from being initiated from a page script. In this case, the page can access only the resources from the current domain. CORS allows the browser to send XMLHttpRequest to the server in a different domain. For more information, see CORS.

The CORS plug-in provides the capabilities of specifying preflight request headers and response headers and automatically creating preflight request APIs for cross-origin API access.

Usage Guidelines

  • You have understood the Guidelines for Using Plug-ins.
  • APIs with the same request path in an API group can only be bound with the same CORS plug-in.
  • If you have enabled CORS for an API and have also bound the CORS plug-in to the API, the CORS plug-in will be used.
  • You cannot bind the CORS plug-in to APIs with the same request path as another API that uses the OPTIONS method.
  • When you bind a plug-in to an API, ensure that the request method of the API is included in allow_methods.

Configuration Parameters

Table 1 Configuration parameters

Parameter

Description

allowed origins

Access-Control-Allow-Origin response header, which specifies either a single origin, which tells browsers to allow that origin to access an API; or else — for requests without credentials — the "*" wildcard, to tell browsers to allow any origin to access the API. Separate multiple URIs using commas.

allowed methods

Access-Control-Allow-Methods response header, which specifies the HTTP methods allowed when accessing the API. Separate multiple methods using commas.

allowed headers

Access-Control-Allow-Headers response header, which specifies request headers that can be used when making an XMLHttpRequest. Separate multiple headers using commas.

By default, simple request headers Accept, Accept-Language, Content-Language, and Content-Type (only if the value is application/x-www-form-urlencoded, multipart/form-data, or text/plain) are carried in requests. You do not need to configure these headers in this parameter.

exposed headers

Access-Control-Expose-Headers response header, which specifies which response headers can be contained in the response of XMLHttpRequest. Separate multiple headers using commas.

By default, basic response headers Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma can be contained in the response. You do not need to configure these headers in this parameter.

maximum age

Access-Control-Max-Age response header, which specifies for how many seconds the results of a preflight request can be cached. No more preflight requests will be sent within the specified period.

allowed credentials

Access-Control-Allow-Credentials response header, which specifies whether XMLHttpRequest requests can carry cookies.

Example Script

{
  "allow_origin": "*",
  "allow_methods": "GET,POST,PUT",
  "allow_headers": "Content-Type,Accept,Accept-Ranges,Cache-Control",
  "expose_headers": "X-Request-Id,X-Apig-Latency",
  "max_age": 172800,
  "allow_credentials": true
}
Parent topic: Plug-ins