This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

Cross-origin resource sharing (CORS) is a standard mechanism that allows JavaScript XMLHttpRequest (XHR) calls executed in a web page to interact with resources from non-origin domains. CORS is a commonly implemented solution to thesame-origin policy that is enforced by all browsers.

For example, if you make an XHR call to the Twitter API from JavaScript code executing in your browser, the call will fail. This is because the domain serving the page to your browser is not the same as the domain serving the Twitter API. CORS provides a solution to this problem by allowing servers toopt-in if they wish to provide cross-origin resource sharing.

One use case for CORS is the developer portal SmartDoc'sTry this API feature. For information, see Configuring your API proxy to support the Try this API panel.

The CORS policy allows Apigee customers to set CORS policies for APIs consumed by web applications.

Implementing a CORS policy can relax the same-origin policy (SOP). If a proxy developer sets theAccess-Control-Allow-Origin header to allow all (*), it effectively disables the same-origin protection.

TheAllowOrigins field is a required policy element and the default should not be set to allow all (*). Policy developers should make cautious decisions before exposing their resources.

This policy is aStandard policy and can be deployed to any environment type. For information on policy types and availability with each environment type, seePolicy types.

<CORS> element

Defines the CORS policy.

The<CORS> element uses the following syntax:

<CORScontinueOnError="[false|true]"enabled="[false|true]"name="POLICY_NAME"><DisplayName>DISPLAY_NAME</DisplayName><AllowOrigins>[{messagetemplate}|URL|URL,URL,...|{context-variable}|{flow-variable}|*]</AllowOrigins><AllowMethods>[GET,PUT,POST,DELETE,...|*]</AllowMethods><AllowHeaders>[origin,x-requested-with,accept,content-type,...]</AllowHeaders><ExposeHeaders>[X-CUSTOM-HEADER-A,X-CUSTOM-HEADER-B,...|*]</ExposeHeaders><MaxAge>[integer|-1]</MaxAge><AllowCredentials>[false|true]</AllowCredentials><GeneratePreflightResponse>[false|true]</GeneratePreflightResponse><IgnoreUnresolvedVariables>[false|true]</IgnoreUnresolvedVariables></CORS>

<CORScontinueOnError="false"enabled="true"name="add-cors"><DisplayName>AddCORS</DisplayName><AllowOrigins>{request.header.origin}</AllowOrigins><AllowMethods>GET,PUT,POST,DELETE</AllowMethods><AllowHeaders>origin,x-requested-with,accept,content-type</AllowHeaders><ExposeHeaders>*</ExposeHeaders><MaxAge>3628800</MaxAge><AllowCredentials>false</AllowCredentials><GeneratePreflightResponse>true</GeneratePreflightResponse><IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables></CORS>

This element has the following attributes that are common to all policies:

Each of the child elements is described in the sections that follow.

Examples

Examples are provided for all of the child elements in the following sections.

Child element reference

This section describes the child elements of<CORS>.

<AllowCredentials>

Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. Translates to theAccess-Control-Allow-Credentials header.

The<AllowCredentials> element uses the following syntax:

<CORScontinueOnError="[false|true]"enabled="[false|true]"name="POLICY_NAME"><AllowOrigins>[{messagetemplate}|URL|URL,URL,...|{context-variable}|{flow-variable}|*]</AllowOrigins><AllowCredentials>[false|true]</AllowCredentials></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors">  <AllowOrigins>{request.header.origin}</AllowOrigins><AllowCredentials>false</AllowCredentials></CORS>

<AllowHeaders>

List of HTTP headers that can be used when requesting the resource.Serialized to theAccess-Control-Allow-Headers header.

* For more information, see What is a message template?

The<AllowHeaders> element uses the following syntax:

<CORScontinueOnError="[false|true]"enabled="[false|true]"name="POLICY_NAME"><AllowOrigins>[{messagetemplate}|URL|URL,URL,...|{context-variable}|{flow-variable}|*]</AllowOrigins><AllowHeaders>[origin,x-requested-with,accept,content-type,...]</AllowHeaders></CORS>

<CORScontinueOnError="false"enabled="true"name="add-cors"><AllowOrigins>{request.header.origin}</AllowOrigins><AllowHeaders>origin,x-requested-with,accept,content-type</AllowHeaders></CORS>

<AllowMethods>

List of HTTP methods allowed to access the resource. The content will beserialized into theAccess-Control-Allow-Methods header.

* For more information, see What is a message template?

The<AllowMethods> element uses the following syntax:

<CORScontinueOnError="[false|true]"enabled="[false|true]"name="POLICY_NAME"><AllowOrigins>[{messagetemplate}|URL|URL,URL,...|{context-variable}|{flow-variable}|*]</AllowOrigins><AllowMethods>[GET,PUT,POST,DELETE,...|*]</AllowMethods></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors">  <AllowOrigins>{request.header.origin}</AllowOrigins><AllowMethods>GET, PUT, POST, DELETE</AllowMethods></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors">  <AllowOrigins>{request.header.origin}</AllowOrigins><AllowMethods>*</AllowMethods></CORS>

<AllowOrigins>

A list of origins that are allowed to access the resource. Use an asterisk (*) to enable access to a resource from any origin. Otherwise, provide an allow list of comma-separated origins. If a match is found, then the outgoingAccess-Control-Allow-Origin is set to the origin as provided by the client.

* For more information, see What is a message template?

The<AllowOrigins> element uses the following syntax:

<CORScontinueOnError="[false|true]"enabled="[false|true]"name="POLICY_NAME"><AllowOrigins>[{messagetemplate}|URL|URL,URL,...|{context-variable}|{flow-variable}|*]</AllowOrigins></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors"><AllowOrigins>https://www.w3.org</AllowOrigins></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors"><AllowOrigins>https://www.w3.org, https://www.apache.org</AllowOrigins></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors"><AllowOrigins>{origins.list}</AllowOrigins></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors"><AllowOrigins>{request.header.origin}</AllowOrigins></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors"><AllowOrigins>*</AllowOrigins></CORS>

<DisplayName>

Use in addition to thename attribute to label the policy in the management UI proxy editor with a different, more natural-sounding name.

The<DisplayName> element is common to all policies.

The<DisplayName> element uses the following syntax:

<PolicyElement><DisplayName>POLICY_DISPLAY_NAME</DisplayName>  ...</PolicyElement>

<PolicyElement><DisplayName>My Validation Policy</DisplayName></PolicyElement>

The<DisplayName> element has no attributes or child elements.

<ExposeHeaders>

A list of HTTP headers that the browsers are allowed to access or an asterisk (*) to allow all HTTP headers.Serialized into theAccess-Control-Expose-Headers header.

* For more information, see What is a message template?

The<ExposeHeaders> element uses the following syntax:

<CORScontinueOnError="[false|true]"enabled="[false|true]"name="POLICY_NAME"><AllowOrigins>[{messagetemplate}|URL|URL,URL,...|{context-variable}|{flow-variable}|*]</AllowOrigins><ExposeHeaders>[X-CUSTOM-HEADER-A,X-CUSTOM-HEADER-B,...|*]</ExposeHeaders></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors">  <AllowOrigins>{request.header.origin}</AllowOrigins><ExposeHeaders>*</ExposeHeaders></CORS>

<GeneratePreflightResponse>

Indicate whether the policy should generate and return the CORS preflight response. Iffalse, no response is sent. Instead, the followingflow variables are populated:

• cross_origin_resource_sharing.allow.credentials
• cross_origin_resource_sharing.allow.headers
• cross_origin_resource_sharing.allow.methods
• cross_origin_resource_sharing.allow.origin
• cross_origin_resource_sharing.allow.origins.list
• cross_origin_resource_sharing.expose.headers
• cross_origin_resource_sharing.max.age
• cross_origin_resource_sharing.preflight.accepted
• cross_origin_resource_sharing.request.headers
• cross_origin_resource_sharing.request.method
• cross_origin_resource_sharing.request.origin
• cross_origin_resource_sharing.request.type

The<GeneratePreflightResponse> element uses the following syntax:

<CORS continueOnError="[false|true]" enabled="[false|true]" name="POLICY_NAME">  <GeneratePreflightResponse>[false|true]</GeneratePreflightResponse>  <GeneratePreflightResponse>[false|true]</GeneratePreflightResponse></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors">  <AllowOrigins>{request.header.origin}</AllowOrigins><GeneratePreflightResponse>true</GeneratePreflightResponse></CORS>

<IgnoreUnresolvedVariables>

Determines whether processing stops when an unresolved variable is encountered. Set totrue to ignore unresolved variables and continue processing; otherwisefalse.

The<IgnoreUnresolvedVariables> element uses the following syntax:

<CORScontinueOnError="[false|true]"enabled="[false|true]"name="POLICY_NAME"><AllowOrigins>[{messagetemplate}|URL|URL,URL,...|{context-variable}|{flow-variable}|*]</AllowOrigins><IgnoreUnresolvedVariables>[false|true]</IgnoreUnresolvedVariables></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors">  <AllowOrigins>{request.header.origin}</AllowOrigins><IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables></CORS>

<MaxAge>

Specifies how long the results of a preflight request can be cached in seconds. A value of-1 populates theAccess-Control-Max-Age header with a value of-1, which disables caching, requiring a preflightOPTIONS check for all calls. This is defined in the Access-Control-Max-Age specification.

The<MaxAge> element uses the following syntax:

<CORScontinueOnError="[false|true]"enabled="[false|true]"name="POLICY_NAME"><AllowOrigins>[{messagetemplate}|URL|URL,URL,...|{context-variable}|{flow-variable}|*]</AllowOrigins><MaxAge>[integer|-1]</MaxAge></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors">  <AllowOrigins>{request.header.origin}</AllowOrigins><MaxAge>3628800</MaxAge></CORS>

<CORS continueOnError="false" enabled="true" name="add-cors">  <AllowOrigins>{request.header.origin}</AllowOrigins><MaxAge>-1</MaxAge></CORS>

Usage notes

OPTIONS requests

When anOPTIONS request is received and processed by the CORS policy, proxy flow execution transfers directly to the Proxy Response PreFlow, skipping the request flows entirely and continues execution from there. There is no need to create a Condition to ignore the OPTIONS request in the proxy request flow.

On subsequent calls, when the CORS policy executes, if theMaxAge set in the policy has not expired, the flow continues as normal. During the final response flow just before "Response Sent to Client," a special CORS execution step "CORSResponseOrErrorFlowExecution" sets CORS response headers (Access-Control-Allow-Credentials,Access-Control-Allow-Origin, andAccess-Control-Expose-Headers) to return a CORS-validated response.

Error codes

This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle faults. To learn more, see What you need to know about policy errors and Handling faults.

Runtime errors

These errors can occur when the policy executes.

Deployment errors

These errors can occur when you deploy a proxy containing this policy.

Fault variables

These variables are set when this policy triggers an error at runtime. For more information, see What you need to know about policy errors.

{"fault":{"detail":{"errorcode":"steps.cors.UnresolvedVariable"},"faultstring":"CORS[AddCORS]: unable to resolve variable wrong.var"}}

<FaultRule name="Add CORS Fault">    <Step>        <Name>Add-CORSCustomUnresolvedVariableErrorResponse</Name>        <Condition>(fault.name Matches "UnresolvedVariable") </Condition>    </Step>    <Condition>(cors.Add-CORS.failed = true) </Condition></FaultRule>