CORS Headers
(MI.CrossoriginPolicy)
Overview
Browsers block web pages from making requests to a different origin (domain, scheme, or port) than the one that served the page, unless the origin that served the page explicitly allows it via CORS headers. Add the CORS Headers feature to the site configuration to authorize access to origin resources from other specified origins.
This is useful when a site needs to load resources hosted on a different origin. CORS headers signal to the browser that such cross-origin requests are permitted.
When this rule is configured, the appropriate CORS headers are dynamically added to the origin responses to indicate which cross-origin requests are allowed. You can also use this rule to define additional preflight processing behaviors.
Examples
Example 1: Enable Cross Origin Requests for All Origins
This example sets the following policies:
"pattern": "*": The "pattern" field specifies the origins that are allowed. In this example, the "*" wildcard value means that cross origin requests from any origins are allowed."wildcard-return": true: When the CDN responds to a cross-origin resource request and includes the "Access-Control-Allow-Origin" header in its response, the header value will be the wildcard value (*) rather than the specific origin value from the incoming request's "Origin" header.
{
"generic-metadata-type": "MI.CrossoriginPolicy",
"generic-metadata-value": {
"allow-origin": {
"allow-list": [
{
"pattern": "*"
}
],
"wildcard-return": true
}
}
}
Example 2: Include Preflight CORS Parameters
{
"generic-metadata-type": "MI.CrossoriginPolicy",
"generic-metadata-value": {
"allow-credentials": true,
"allow-headers": [
"X-Custom-Header",
"Upgrade-Insecure-Requests"
],
"allow-methods": [
"GET",
"PUT",
"OPTIONS"
],
"allow-origin": {
"allow-list": [
{
"pattern": "*"
}
],
"wildcard-return": true
},
"expose-headers": [
"Content-Encoding"
],
"max-age": 3000
}
}
Supported Properties
| Field | Description |
|---|---|
| allow-credentials | Determines if credentials are exposed in the response, in the Access-Control-Allow-Credentials header. Supported values are true, false. |
| allow-headers | An array of the headers allowed to be used in subsequent cross origin requests. If a client uses other headers, the browser blocks the request. |
| allow-methods | The HTTP methods supported for cross-origin requests. |
| allow-origin | Defines which request origins are permitted to access resources. |
| expose headers | An array of the headers to be exposed in the response, in the Access-Control-Expose-Headers header. and made available to the client. |
| max-age | Sets a TTL for the CORS headers, in seconds. Can be used to reduce traffic to the origin. |