The Cross-Origin Resource Sharing (CORS) feature regulates client-side cross-origin requests by providing policy statements to the client on demand and by checking requests for compliance with the policy. This feature is enabled by default.
Policies include the set of HTTP methods that can be accepted, where requests can originate, and which content types are valid. These vary according to the request URL, and can be reconfigured as needed by adding entries to locked.properties.
An ellipsis after a property name indicates that the property can accept a list.
Property | Value Type | Master Default | Other Defaults |
---|---|---|---|
enableCORS | true false |
true | n/a |
acceptContentType... | http-content-type | application/x-www-form-urlencoded,application/xml,text/xml |
|
acceptHeader... | http-header-name | * | n/a |
exposeHeader... | http-header-name | * | n/a |
filterHeaders | true false |
true | n/a |
checkOrigin | true false |
true | n/a |
allowCredentials | true false |
false | admin=true broker=true helpdesk=true misc=true portal=true saml=true tunnel=true view-vlsi=true view-vlsi-rest=true |
allowMethod... | http-method-name | GET,HEAD,POST | misc=GET,HEAD saml=GET,HEAD |
allowPreflight | true false |
true | n/a |
maxAge | cache-time | 0 | n/a |
balancedHost | load-balancer-name | OFF | n/a |
portalHost... | gateway-name | OFF | n/a |
chromeExtension... | chrome-extension-hash | OFF | n/a |
Example CORS properties in the locked.properties file:
enableCORS = true allowPreflight = true checkOrigin = true checkOrigin-misc = false allowMethod.1 = GET allowMethod.2 = HEAD allowMethod.3 = POST allowMethod-saml.1 = GET allowMethod-saml.2 = HEAD acceptContentType.1 = application/x-www-form-urlencoded acceptContentType.2 = application/xml acceptContentType.3 = text/xml
Origin Checking
Origin checking is enabled by default. When it is enabled, a request will be accepted only without an Origin, or with an Origin equal to the address given in the External URL, to the balancedHost address, to any portalHost address, to any chromeExtension hash, to null, or to localhost. If Origin is not one of these possibilities, then an error "Unexpected Origin" is logged and a status of 404 is returned.
If multiple Connection Servers or security servers are load balanced, you must specify the load balancer address by adding a balancedHost entry to locked.properties. Port 443 is assumed for this address.
If clients need to connect through a Unified Access Gateway or another gateway, you must specify all of the gateway addresses by adding portalHost entries to locked.properties. Port 443 is assumed for these addresses too. Do the same if you want to provide access to a Connection Server or security server by a name that is different from the one that is specified in the External URL.
Chrome Extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to locked.properties.