The Cross-Origin Resource Sharing (CORS) feature regulates client-side cross-origin requests by providing policy statements to the client on demand and by checking requests for compliance with the policy. This feature can be configured and enabled if required.
Policies include the set of HTTP methods that can be accepted, where requests can originate, and which content types are valid. These policies vary according to the request URL, and can be reconfigured as needed by adding entries to the locked.properties file.
An ellipsis after a property name indicates that the property can accept a list.
Property | Value Type | Master Default | Other Defaults |
---|---|---|---|
enableCORS | true false |
false | n/a |
acceptContentType... | http-content-type | application/x-www-form-urlencoded,application/xml,text/xml | flexadmin=application/x-amf admin=application/json,application/text,application/x-www-form-urlencoded portal=application/json view-vlsi-rest=application/json rest=application/json |
acceptHeader... | http-header-name | * | admin=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Cache-Control,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrftoken,DNT,Host,Origin,Referer,User-Agent broker=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,Gateway-Location,Gateway-Name,Gateway-Type,Host,Origin,Referer,User-Agent,X-CSRF-Token,X-EUC-Gateway,X-EUC-Health,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Proto portal=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,Host,Origin,Referer,User-Agent,X-CSRF-Token rest=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege view-vlsi=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege view-vlsi-rest=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege |
exposeHeader... | http-header-name | * | n/a |
filterHeaders | true false |
true | n/a |
checkOrigin | true false |
true | n/a |
checkReferer | true false |
false | n/a |
allowCredentials | true false |
false | admin =true broker=true flexadmin=true health=true misc =true portal=true rest=true saml=true tunnel=true view-vlsi=true view-vlsi-rest=true |
allowMethod... | http-method-name | GET,HEAD,POST | health=GET,HEAD misc =GET,HEAD rest=GET,POST,PUT,PATCH,DELETE saml =GET,HEAD tunnel=GET,POST |
allowPreflight | true false |
true | n/a |
maxAge | cache-time | 0 | n/a |
balancedHost | load-balancer-name | OFF | n/a |
portalHost... | gateway-name | OFF | n/a |
chromeExtension... | chrome-extension-hash | ppkfnjlimknmjoaemnpidmdlfchhehel
Note: This value is the Chrome extension ID for
Horizon Client for Chrome.
|
n/a |
Following are examples of CORS properties in the locked.properties file.
enableCORS = true allowPreflight = true checkOrigin = true checkOrigin-misc = false allowMethod.1 = GET allowMethod.2 = HEAD allowMethod.3 = POST allowMethod-saml.1 = GET allowMethod-saml.2 = HEAD acceptContentType.1 = application/x-www-form-urlencoded acceptContentType.2 = application/xml acceptContentType.3 = text/xml
Origin Checking
Origin checking is enabled by default. When it is enabled, a request is accepted only without an Origin, or with an Origin equal to the address that the External URL specifies, to the balancedHost address, to any portalHost address, to any chromeExtension hash, to null, or to localhost. If Origin is not one of these possibilities, an "Unexpected Origin" error is logged and a status of 404 is returned.
checkReferer=true
If multiple Connection Server hosts or security servers are load balanced, you must specify the load balancer address by adding a balancedHost entry to the locked.properties file. Port 443 is assumed for this address.
If clients connect through a Unified Access Gateway appliance or another gateway, you must specify all the gateway addresses by adding portalHost entries to the locked.properties file. Port 443 is assumed for these addresses. You must also specify portalHost entries to provide access to a Connection Server host or security server by a name that is different from the name that the External URL specifies.
Chrome extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to the locked.properties file. For example:
chromeExtension.1=bpifadopbphhpkkcfohecfadckmpjmjd