How to configure CORS

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/4UyAKqFXegk Import Date: 2016-01-19 21:28:55 +0000.
Sender:Ian Harris.
Date:Thursday, 22 October 2015 11:27:50 UTC+1.

Hi Martin,

I’m just wondering how I should go about configuring CORS. Are there any docs about this?

We’ve tried to configure with an empty and wildcarded allowed_origins but with no luck. Is this supported?

Thanks,
Ian.

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 22 October 2015 11:37:10 UTC+1.

Hi Ian,

CORS is pretty straightforward to set up, in the dashboard, under advanced options, there’s a CORS section.

Use the “allowed origins” field, and type an asterisk (*) for a wildcard. Then click the “Add” button, then save the API.

Make sure to set “Enable CORS”

The API will now enforce CORS.

There’s not much too it except for that.

Cheers,
Martin

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 22 October 2015 11:43:55 UTC+1.

To add to the above, how are you testing it? If you are using Postman to test CORS you’ll be in trouble because it runs in a browser, which doesn’t allow CORS fiddling (the Origin header is protected), you will need to use Curl or some other manual tool to verify the headers:

curl -D -H “Authorization: 53ac07777cbb8c2d530000025b38ff83bdbc4cdc5d0b7736fe134b7a” -H ‘Origin: http://flibblehttp://domain.com:8080/b605a6f03cc14f8b74665452c263bf19/

Cheers,
Martin

Imported Google Group message.
Sender:Ian Harris.
Date:Thursday, 22 October 2015 14:04:51 UTC+1.

Hi Martin,

I’m testing from Chrome. A Wireshark trace shows both the pre-flight and actual requests succeeding. However, the response to the actual GET request has two Access-Control-Allowed-Headers which Chrome doesn’t like. The JavaScript then has no access to the repsonse text. Could this be a config issue?

Thanks,
Ian.

  • show quoted text -

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 22 October 2015 14:13:37 UTC+1.

Hi Ian,

Is the upstream app adding CORS headers? We noticed this happening when testing against httpbin, which adds it’s own headers which then unfortunately get duplicated.

Cheers,
Martin

Imported Google Group message.
Sender:Ian Harris.
Date:Thursday, 22 October 2015 15:16:18 UTC+1.

Hi Martin,

Definitely in my testing it is then because I was using httpbin in my tests. Our CTO has been testing against some other APIs I’ll check with him. Is is possible to remove the repeated headers in Tyk or do we need to disable CORS on the target API?

Thanks,
Ian.

  • show quoted text -

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 22 October 2015 15:19:19 UTC+1.

Hi Ian,

Yes it is possible to remove the headers, you can try to use the HTTP Header transform middleware plugin to remove the response header, since our CORS middleware writes directly to the TCP stream before the proxy copies in the response, it should work.

Cheers,
Martin

For more options, visit https://groups.google.com/d/optout.

Imported Google Group message.
Sender:Ian Harris.
Date:Thursday, 22 October 2015 16:51:51 UTC+1.

Hi Martin,

That looks like it will do the trick. I’ve been having a look at some of the examples for the custom_middleware.

Am I right in thinking that I should be configuring the “response” entry of the middleware - as opposed to pre or post?

Would it suffice to remove all Access-Control-Accept-Origin headers and then re-add all in the same js script?

Thanks,
Ian.

On Thursday, October 22, 2015 at 3:19:19 PM UTC+1, Martin Buhr wrote:
Hi Ian,

Yes it is possible to remove the headers, you can try to use the HTTP Header transform middleware plugin to remove the response header, since our CORS middleware writes directly to the TCP stream before the proxy copies in the response, it should work.

Cheers,
Martin

On Thu, Oct 22, 2015 at 3:16 PM, Ian Harris wrote:
Hi Martin,

Definitely in my testing it is then because I was using httpbin in my tests. Our CTO has been testing against some other APIs I’ll check with him. Is is possible to remove the repeated headers in Tyk or do we need to disable CORS on the target API?

Thanks,
Ian.

On Thursday, October 22, 2015 at 2:13:37 PM UTC+1, Martin Buhr wrote:
Hi Ian,

Is the upstream app adding CORS headers? We noticed this happening when testing against httpbin, which adds it’s own headers which then unfortunately get duplicated.

Cheers,
Martin


You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/b408501a-88c9-47db-a2ab-ed5ab86bc788%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Imported Google Group message.
Sender:JC Wu.
Date:Friday, 23 October 2015 08:05:46 UTC+1.

Hi Lan & Martin,

I met the same issua with u , seems the cors does not work:

Imported Google Group message.
Sender:Martin Buhr.
Date:Friday, 23 October 2015 08:34:36 UTC+1.

Hi JC,

It looks like your API client is sending the origin as “null”, not with an actual valid origin?

Cheers,
Martin

Imported Google Group message.
Sender:JC Wu.
Date:Monday, 26 October 2015 02:17:14 UTC.

Hi Martin,

I try to fix the origin issue, but it still have CORS problem, and mu origin API support CORS fine, so could u kindly help me figure out CORS problem on Tyk?

Imported Google Group message.
Sender:Martin Buhr.
Date:Monday, 26 October 2015 06:26:00 UTC.

Hi JC,

Not sure I understand this - your second screenshot shows a request that is going via Tyk returning with CORS headers that say the request is OK but the request returns with a 500 internal status error.

Your JavaScript console has the same error, first a 500 error, then two CORS errors. But the response does have the CORS headers.

So, first I would check if the gateway is throwing an error for some reason (check the output logs), and second, your API endpoint is returning a 500 error for some reason, you can see the generator header is generated by the app, not Tyk but all the Tyk specific rate limiting headers are there (meaning the request was proxied successfully).

Cheers,
Martin


From: JC Wu [email protected]
Sent: Monday, October 26, 2015 02:17
Subject: Re: How to configure CORS
To: Tyk Community Support [email protected]

Hi Martin,

I try to fix the origin issue, but it still have CORS problem, and mu origin API support CORS fine, so could u kindly help me figure out CORS problem on Tyk?


You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/9889a93f-d5d1-4bbd-bf9f-d79bbcd11a25%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.