The Cross-Origin Resource Sharing (CORS) feature regulates client-side cross-origin requests by providing policy statements to the client on demand and by checking requests for compliance with the policy. This feature can be configured and enabled if required.

Policies include the set of HTTP methods that can be accepted, where requests can originate, and which content types are valid. These policies vary according to the request URL, and can be reconfigured as needed by adding entries to the locked.properties file.

An ellipsis after a property name indicates that the property can accept a list.

Table 1. CORS Properties

Property

Value Type

Master Default

Other Defaults

enableCORS

true

false

false

n/a

acceptContentType...

http-content-type

application/x-www-form-urlencoded,application/xml,text/xml

admin=application/x-amf

newadmin=application/json,application/text,application/x-www-form-urlencoded

portal=application/json

sso-redirect=application/x-amf

view-vlsi-rest=application/json

acceptHeader...

http-header-name

*

n/a

exposeHeader...

http-header-name

*

n/a

filterHeaders

true

false

true

n/a

checkOrigin

true

false

true

n/a

checkReferer

true

false

false

n/a

allowCredentials

true

false

false

admin =true

broker=true

misc =true

newadmin =true

portal=true

saml=true

sso-redirect =true

tunnel=true

view-vlsi=true

view-vlsi-rest=true

allowMethod...

http-method-name

GET,HEAD,POST

misc =GET,HEAD

saml =GET,HEAD

sso-redirect =GET,HEAD

allowPreflight

true

false

true

n/a

maxAge

cache-time

0

n/a

balancedHost

load-balancer-name

OFF

n/a

portalHost...

gateway-name

OFF

n/a

chromeExtension...

chrome-extension-hash

ppkfnjlimknmjoaemnpidmdlfchhehel

Note:

This value is the Chrome extension ID for Horizon Client for Chrome.

n/a

Following are examples of CORS properties in the locked.properties file.

enableCORS = true
allowPreflight = true
checkOrigin = true
checkOrigin-misc = false
allowMethod.1 = GET
allowMethod.2 = HEAD
allowMethod.3 = POST
allowMethod-saml.1 = GET
allowMethod-saml.2 = HEAD
acceptContentType.1 = application/x-www-form-urlencoded
acceptContentType.2 = application/xml
acceptContentType.3 = text/xml

Origin Checking

Origin checking is enabled by default. When it is enabled, a request is accepted only without an Origin, or with an Origin equal to the address that the External URL specifies, to the balancedHost address, to any portalHost address, to any chromeExtension hash, to null, or to localhost. If Origin is not one of these possibilities, an "Unexpected Origin" error is logged and a status of 404 is returned.

Note:

Some browsers do not provide an Origin header, or do not always provide one. Optionally, the Referer header in a request can be checked in the absence of an Origin header. The Referer header has one "r" in header name. To check the Referer header, add the following property to the locked.properties file:

checkReferer=true

If multiple Connection Server hosts or security servers are load balanced, you must specify the load balancer address by adding a balancedHost entry to the locked.properties file. Port 443 is assumed for this address.

If clients connect through a Unified Access Gateway appliance or another gateway, you must specify all the gateway addresses by adding portalHost entries to the locked.properties file. Port 443 is assumed for these addresses. You must also specify portalHost entries to provide access to a Connection Server host or security server by a name that is different from the name that the External URL specifies.

Chrome extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to the locked.properties file. For example:

chromeExtension.1=bpifadopbphhpkkcfohecfadckmpjmjd