CORS Plug-in
Overview
For security purposes, a browser restricts cross-domain requests initiated from scripts. That is, only resources from the same domain can be requested. However, CORS allows a browser to send XMLHttpRequest requests to a server in a different domain. For details about CORS, see Configuring CORS for APIs.
The CORS plug-in provides the capabilities of specifying preflight request headers and response headers, as well as automatically creating preflight request APIs for quick and flexible cross-domain API access.
Restrictions
- In the same API group, all APIs published in the same environment and with the same request path can be bound only to the same CORS plug-in.
- If you have enabled CORS for an API and have also bound the CORS plug-in to the API, the CORS plug-in will be used.
- If a request path contains an API with the OPTIONS method, none of the APIs in the request path can be bound to the CORS plug-in in the environment where the API is published.
- When you bind a plug-in to an API, ensure that the request method of the API is included in allow_methods.
Parameter Description
|
Parameter |
Description |
|---|---|
|
allow origin |
Access-Control-Allow-Origin response header, which specifies the external domain URIs that are allowed to access the API. Use commas (,) to separate multiple URIs. For requests that do not carry identity credentials, set this parameter to * to allow access requests from all domains. |
|
allow methods |
Access-Control-Allow-Methods response header, which specifies the allowed HTTP request methods. Use commas (,) to separate multiple request methods. |
|
allow headers |
Access-Control-Allow-Headers response header, which specifies request headers that can be used when sending XMLHttpRequest requests. Use commas (,) to separate multiple headers. By default, simple request headers Accept, Accept-Language, Content-Language, and Content-Type (only if the value is application/x-www-form-urlencoded, multipart/form-data, or text/plain) are carried in requests. You do not need to configure these headers in this parameter. |
|
expose headers |
Access-Control-Expose-Headers response header, which specifies which response headers can be contained in the response of XMLHttpRequest. Use commas (,) to separate multiple headers. By default, basic response headers Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma can be contained in the response. You do not need to configure these headers in this parameter. |
|
max age |
Access-Control-Max-Age response header, which specifies the validity period (in seconds) of the preflight request. No more preflight requests are needed within the period. |
|
allow credentials |
Access-Control-Allow-Credentials response header, which specifies whether XMLHttpRequest requests can carry cookies. Options:
|
Script Configuration Example
{
"allow_origin": "*",
"allow_methods": "GET,POST,PUT",
"allow_headers": "Accept-Ranges,Cache-Control",
"expose_headers": "X-Request-Id,X-Apig-Latency",
"max_age": 172800,
"allow_credentials": true
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
