Forum Discussion

houstonrob's avatar
houstonrob
Icon for Nimbostratus rankNimbostratus
Jan 10, 2018

CORS iRule Problem

I'm having a lot of trouble setting CORS headers and I'm hoping someone with more familiarity can help me out. This is my first time working with CORS, in fact until a few days ago I had never even heard of it. After some reading, my understanding is that CORS is a way to prevent a webpage from referencing another webpage.

 

So I have a page, we'll call it siteA, that gets some dynamic data from another webpage, siteB (both are internal pages) and my understanding is that siteB will not talk to siteA unless siteA presents a CORS header with a value of siteA.domain.com; is this even the correct interpretation of how this is supposed to work?

 

DevCentral keeps marking as spam so I might end up posting a partial explanation

 

  • SiteA and siteB are behind the same VIP, I just use an iRule to determine which pool gets hit based on the URL and they both get authenticated by APM.

     

    I wrote this based on my understanding of CORS, but when I look at the traffic in fiddler, I never see a CORS header. Anyone who's done this know where I might be going wrong or if I'm completely misunderstanding how CORS is supposed to work?

     

    I've read a few other posts on here related to CORS, but the solutions didn't seem to work for me.

     

    Any help is appreciated!

     

  • This board would not let me post this as one message, kept saying its spam. Here's the iRule

    when HTTP_REQUEST {
    
     set Origin [HTTP::header Origin]
    
     if { [HTTP::header exists Origin] } {
            log local0. "We found an origin header:[HTTP::header Origin]"
            if { [HTTP::header Origin] eq "https://siteA.domain.com" } {
                log local0. "it did equal siteA $Origin and the method is [HTTP::method]"
                switch [HTTP::method] {
                    "OPTIONS" {
                        log local0. "hitting the OPTIONS response"
                        HTTP::respond 200 noserver  Allow "GET,HEAD,POST,OPTIONS" \
                                                        Access-Control-Allow-Origin "[HTTP::header Origin]" \
                                                        Access-Control-Allow-Methods "GET,POST" \
                                                        Access-Control-Max-Age "86400" \
                                                        Access-Control-Allow-Credentials "true"
                        return
                                   }
                                   "GET" {
                                       log local0. "method is get setting the Origin variable with [HTTP::header Origin]"
                                       set Origin [HTTP::header Origin]
                    }
                    "POST" {
                                       log local0. "method is get setting the Origin variable with [HTTP::header Origin]"
                                       set Origin [HTTP::header Origin]
                    }
                }
            } else {
                log local0. "The origin header did not match siteA $Origin"
                if {[HTTP::method] eq "OPTIONS"} {
                        log local0. "Wasnt siteA and method was options"
                        HTTP::respond 200 noserver Allow "GET,POST,HEAD,OPTIONS"
                        return
                    }
            }
     }
    
    }
    
    when HTTP_RESPONSE {
    
     log local0. "The variable origin has a value of $Origin"
        if {$Origin ne ""} {
           log local0. "Adding in an origin header $Origin"
           HTTP::header insert "Access-Control-Allow-Origin" $Origin
           HTTP::header insert "Access-Control-Allow-Methods" "GET,POST"
           HTTP::header insert "Access-Control-Max-Age" "86400"
           HTTP::header insert "Allow" "GET,HEAD,POST,OPTIONS"
        }
        log local0. "inserting Vary and Origin"
        HTTP::header insert "Vary" "Origin"
    }
    
  • It looks like my problem is with the response, the log shows a ton of "The variable has a value of" messages with nothing for the $Origin value; I'm pretty sure this should have a value. It looks like I never get a log message saying "Adding in an origin header $Origin"; does anyone see anything that might be wrong with how I'm doing this?

     

  • Hello,

    Use

    Access-Control-Allow-Headers "Origin, Content-Type, Accept, Xx, Yy, Zz, etc" \
    in the HTTP_REQUEST. And let me know what is the error so that we can see whether a data group is required.

    -Harsha.