CORS policy not working

[AghaSaad04]

Issue:

I have published an API publicly. To test the CORS policy, I am trying to request to the endpoint from a different origin but getting the API response but I think it should have given me some CORS response or error.

Goal:

Basically my end-goal is to allow only specific origin to make a request on the endpoint.

Any leads would be helpful. Thanks

[msavy]

You need to share the basics of your CORS policy configuration otherwise we will not be able to help.

The policy seems to work fine for me.

[AghaSaad04]

Hi @msavy, thanks for the response.

These are the configurations right now we are using in CORS policy

[msavy]

That looks like a normal configuration. How are you testing it?

CORS protocol operates against the Origin header, which is set automatically in browsers but if you are testing using cURL or postman you'll need to set it yourself

[AghaSaad04]

We are accessing the API through browser. Is there any other configurations that can override the CORS policy?

[msavy]

Not that I'm aware of. Just make sure you are operating on the correct API and the policy is definitely in the chain.

You can verify that by looking at the CORS headers of the response. For example, Access-Control-Allow-Origin.

If you are using a complex request like a POST then you will get preflight headers back also.

e.g. curl -v -H "Origin: http://foo.com" http://localhost:8080/apiman-gateway/test/test123/1.0

[AghaSaad04]

When you refer the API policy chain? What do you mean by that?
If it is available can you jump on call with us?

[AghaSaad04]

Basically what we are trying to do is, we are wrapping a 3rd party API through APIMan. We implement the gateway, For now we implemented the CORS policy to test on that.

[msavy]

Sorry, I'm not available for calls with community support. I do my best on community support when I have spare time (vs paid work that pays the bills!).

More info is available here on what the concept of a policy chain is in Apiman: https://apiman.gitbooks.io/apiman-user-guide/content/user-guide/manager/concepts.html#_policy_chain

Please look at the HTTP response headers that come back from the call you have made through the Apiman Gateway to your API. Do you see CORS headers in the response?

You should see things like Access-Control-Allow-Origin (and a variety of other headers if you are doing a complex or preflight request). These should be familiar to you if you know the CORS protocol.

[msavy]

As an example, I've set up a CORS policy that requires allows 1 origin http://foo.com

If I do a cURL request as follows:

curl -v -XGET -H "Origin: http://foo.com" http://localhost:8080/apiman-gateway/test/test123/1.0

I get a successful response (correct).

From the response you can see the following useful header(s)

> GET /apiman-gateway/test/test123/1.0 HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Origin: http://foo.com <-- origin set above
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: http://foo.com <-- CORS allow origin (comes from CORS policy)
< Access-Control-Allow-Credentials: true <-- I set the CORS policy to allow credentials

If I use a deliberately invalid origin, then it fails:

❯ curl -v -XGET -H "Origin: http://wrongorigin.com" http://localhost:8080/apiman-gateway/test/test123/1.0

> GET /apiman-gateway/test/test123/1.0 HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Origin: http://wrongorigin.com
>
< HTTP/1.1 400 Bad Request <-- I set Apiman to return an error when CORS fails
< X-Policy-Failure-Type: Authorization
< Access-Control-Allow-Origin: <-- header is empty. 
< X-Policy-Failure-Code: 400
< Access-Control-Allow-Credentials: true
< Content-Type: application/json
< X-Policy-Failure-Message: CORS: Origin not permitted.
<
* Connection #0 to host localhost left intact
{"type":"Authorization","failureCode":400,"responseCode":400,"message":"CORS: Origin not permitted.","headers":{"Access-Control-Allow-Credentials":"true","Access-Control-Allow-Origin":""}}* Closing connection 0

[AghaSaad04]

Hi @msavy, I am a bit confused that how you are requesting to localhost? My gateway for the API is my DNS and not localhost, hence endpoint of my API doesn't start with localhost. Also how can your localhost API be public and accessible to everyone?

The following blog also suggests the same and uses the localhost endpoint for the public API.

https://www.apiman.io/blog/security/plugin/policy/cors/1.2.x/2016/01/22/cors-redux.html

[msavy]

Because I was using localhost for the demonstration purposes (i.e. running Apiman on my local machine). The concepts are exactly the same.

If you want anyone to be allowed to invoke the API (via CORS config), then just set the Access-Control-Allow-Origin header to *.

And you can add all non-simple methods to the preflight Access-Control-Allow-Methods list (PUT, PATCH, etc).