Menu
I'm sorry if this is a very ignorant question but is it possible for Ambassador to truly handle CORS headers and pre-flight OPTION responses?
The docs (https://www.getambassador.io/reference/cors) seem kind of ambiguous to me, if there are just hooks to prevent requests, or if it can truly respond on behalf of the services.
Here's my situation: I've got Ambassador in front of all the http requests to some microservices. For [reasons] we now need a separate domain to make requests into the same Ambassador.
I have an AuthService configured, and according to the docs "When you use external authorization, each incoming request is authenticated before routing to its destination, including pre-flight OPTIONS requests." Which makes perfect sense, and that's what I'm seeing. My AuthService is configured to allow things correctly and that seems to be working. The AuthService responds with the appropriate headers, but Ambassador seems to just ignore that and only cares if the AuthService responds with a 200 or not. (Which seems totally reasonable.)
I have this annotated on my ambassador module:
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: Module
name: ambassador
config:
service_port: 8080
cors:
origins: [my domain here]
credentials: true
And that doesn't seem to do what I'd expect, which is handle the CORS headers and pre-flight... instead it forwards it on to the service to handle all the CORS stuff.
439
The server is responsible for reporting the allowed origins. The web browser is responsible for enforcing that requests are only sent from allowed domains. CORS is applied to requests when an Origin header is included in the request. This includes requests made from JavaScript and POST requests.
To get rid of a CORS error, you can download a browser extension like CORS Unblock ↗. The extension appends Access-Control-Allow-Origin: * to every HTTP response when it is enabled. It can also add custom Access-Control-Allow-Origin and Access-Control-Allow-Methods headers to the responses.
Handling CORS You can use the Access-Control-Allow-Origin to specify which origin the client app must be requesting from, you can use Access-Control-Allow-Headers to specify which header(s) the client app can provide, you can use Access-Control-Allow-Method to specify which HTTP method(s) the client app can use e.t.c.
CORS is essentially controlled by the Access-Control-Allow-Origin (ACAO) header on server, and nothing you do on the client can bypass this restriction.
Turns out, by specifying headers: "Content-Type" in the cors configuration, things just started to work. Apparently that's not as optional as I thought.
So this is now my module:
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: Module
name: ambassador
config:
service_port: 8080
cors:
origins: [my domain here]
headers: "Content-Type"
credentials: true
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With