Updated on 2022-12-05 GMT+08:00

CORS Plug-in

Overview

For security purposes, a browser restricts cross-domain requests initiated from scripts. That is, only resources from the same domain can be requested. However, CORS allows a browser to send XMLHttpRequest requests to a server in a different domain. For details about CORS, see Configuring CORS for APIs.

The CORS plug-in provides the capabilities of specifying preflight request headers and response headers, as well as automatically creating preflight request APIs for quick and flexible cross-domain API access.

Restrictions

  • In the same API group, all APIs published in the same environment and with the same request path can be bound only to the same CORS plug-in.
  • If you have enabled CORS for an API and have also bound the CORS plug-in to the API, the CORS plug-in will be used.
  • If a request path contains an API with the OPTIONS method, none of the APIs in the request path can be bound to the CORS plug-in in the environment where the API is published.
  • When you bind a plug-in to an API, ensure that the request method of the API is included in allow_methods.

Parameter Description

Table 1 Configuration parameters

Parameter

Description

allow origin

Access-Control-Allow-Origin response header, which specifies the external domain URIs that are allowed to access the API. Use commas (,) to separate multiple URIs.

For requests that do not carry identity credentials, set this parameter to * to allow access requests from all domains.

allow methods

Access-Control-Allow-Methods response header, which specifies the allowed HTTP request methods. Use commas (,) to separate multiple request methods.

allow headers

Access-Control-Allow-Headers response header, which specifies request headers that can be used when sending XMLHttpRequest requests. Use commas (,) to separate multiple headers.

By default, simple request headers Accept, Accept-Language, Content-Language, and Content-Type (only if the value is application/x-www-form-urlencoded, multipart/form-data, or text/plain) are carried in requests. You do not need to configure these headers in this parameter.

expose headers

Access-Control-Expose-Headers response header, which specifies which response headers can be contained in the response of XMLHttpRequest. Use commas (,) to separate multiple headers.

By default, basic response headers Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma can be contained in the response. You do not need to configure these headers in this parameter.

max age

Access-Control-Max-Age response header, which specifies the validity period (in seconds) of the preflight request. No more preflight requests are needed within the period.

allow credentials

Access-Control-Allow-Credentials response header, which specifies whether XMLHttpRequest requests can carry cookies. Options:

  • true: allowed
  • false: not allowed

Script Configuration Example

{
  "allow_origin": "*",
  "allow_methods": "GET,POST,PUT",
  "allow_headers": "Accept-Ranges,Cache-Control",
  "expose_headers": "X-Request-Id,X-Apig-Latency",
  "max_age": 172800,
  "allow_credentials": true
}