Forum Discussion

Rory_Hewitt_F5_'s avatar
Jul 10, 2015

Adding CORS response headers

Hey all,   There are a number of other older (2013-era) threads about CORS headers, and I want to ask a specific question which has not been asked there:   Can I add a response header using HTTP:...
  • Rory_Hewitt_F5_'s avatar
    Oct 08, 2015

    To anyone who comes in afterwards and wants to find a 'final' solution, here's what we ended up with (which functions perfectly, at least for us):

     

    when HTTP_REQUEST priority 200 {
        unset cors_origin -nocomplain
        if { [HTTP::header Origin] ends_with ".example.com" } {
            if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } {
                 CORS preflight request - return response immediately
                HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \
                                  "Access-Control-Allow-Methods" "POST, GET, OPTIONS" \
                                  "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \
                                  "Access-Control-Max-Age" "86400"
            } else {
                 CORS GET/POST requests - set cors_origin variable
                set cors_origin [HTTP::header "Origin"]
            }
        }
        ...
        ...
        ...
        other irules
        ...
        ...
        ...
    }
    when HTTP_RESPONSE {
         CORS GET/POST response - check cors_origin variable set in request
        if { [info exists cors_origin] } {
            HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
            HTTP::header insert "Access-Control-Allow-Credentials" "true"
            HTTP::header insert "Vary" "Origin"
        }
    }
    

     

    If you have any comments about this, please do so. And, of course, feel free to use it yourself.