The Cross-Origin Resource Sharing (CORS) feature regulates client-side cross-origin requests by providing policy statements to the client on demand and by checking requests for compliance with the policy. This feature is enabled by default.

Policies include the set of HTTP methods that can be accepted, where requests can originate, and which content types are valid. These vary according to the request URL, and can be reconfigured as needed by adding entries to locked.properties.

An ellipsis after a property name indicates that the property can accept a list.

Table 1. CORS Properties

Property

Value Type

Master Default

Other Defaults

enableCORS

true

false

true

n/a

acceptContentType...

http-content-type

application/x-www-form-urlencoded,application/xml,text/xml

  • admin=application/x-amf

  • helpdesk=application/json,application/text,application/x-www-form-urlencoded

  • view-vlsi-rest=application/json

acceptHeader...

http-header-name

*

n/a

exposeHeader...

http-header-name

*

n/a

filterHeaders

true

false

true

n/a

checkOrigin

true

false

true

n/a

allowCredentials

true

false

false

admin=true

broker=true

helpdesk=true

misc=true

portal=true

saml=true

tunnel=true

view-vlsi=true

view-vlsi-rest=true

allowMethod...

http-method-name

GET,HEAD,POST

misc=GET,HEAD

saml=GET,HEAD

allowPreflight

true

false

true

n/a

maxAge

cache-time

0

n/a

balancedHost

load-balancer-name

OFF

n/a

portalHost...

gateway-name

OFF

n/a

chromeExtension...

chrome-extension-hash

OFF

n/a

Example CORS properties in the locked.properties file:

enableCORS = true
allowPreflight = true
checkOrigin = true
checkOrigin-misc = false
allowMethod.1 = GET
allowMethod.2 = HEAD
allowMethod.3 = POST
allowMethod-saml.1 = GET
allowMethod-saml.2 = HEAD
acceptContentType.1 = application/x-www-form-urlencoded
acceptContentType.2 = application/xml
acceptContentType.3 = text/xml

Origin Checking

Origin checking is enabled by default. When it is enabled, a request will be accepted only without an Origin, or with an Origin equal to the address given in the External URL, to the balancedHost address, to any portalHost address, to any chromeExtension hash, to null, or to localhost. If Origin is not one of these possibilities, then an error "Unexpected Origin" is logged and a status of 404 is returned.

If multiple Connection Servers or security servers are load balanced, you must specify the load balancer address by adding a balancedHost entry to locked.properties. Port 443 is assumed for this address.

If clients need to connect through a Unified Access Gateway or another gateway, you must specify all of the gateway addresses by adding portalHost entries to locked.properties. Port 443 is assumed for these addresses too. Do the same if you want to provide access to a Connection Server or security server by a name that is different from the one that is specified in the External URL.

Chrome Extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to locked.properties.