Cross-Origin Resource Sharing

The Cross-Origin Resource Sharing (CORS) feature regulates client-side cross-origin requests by providing policy statements to the client on demand and by checking requests for compliance with the policy. This feature can be configured and enabled if required.

Policies include the set of HTTP methods that can be accepted, where requests can originate, and which content types are valid. These policies vary according to the request URL, and can be reconfigured as needed by adding entries to the locked.properties file.

An ellipsis after a property name indicates that the property can accept a list.

Table 1. CORS Properties
Property	Value Type	Primary Default	Other Defaults
enableCORS	true false	true	n/a
acceptContentType...	http-content-type	application/x-www-form-urlencoded,application/xml,text/xml	admin=application/json,application/text,application/x-www-form-urlencoded portal=application/json rest=application/json sse=application/json view-vlsi-rest=application/json
acceptHeader...	http-header-name	*	admin=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Cache-Control,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrftoken,DNT,Host,Origin,Referer,User-Agent broker=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,Gateway-Location,Gateway-Name,Gateway-Type,Host,Origin,Referer,User-Agent,X-CSRF-Token,X-EUC-Gateway,X-EUC-Health,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Proto portal=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,Host,Origin,Referer,User-Agent,X-CSRF-Token rest=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege view-vlsi=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege view-vlsi-rest=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege
exposeHeader...	http-header-name	*	n/a
filterHeaders	true false	true	n/a
checkOrigin	true false	true	n/a
checkReferer	true false	false	n/a
allowCredentials	true false	false	admin =true broker=true health=true misc =true portal=true rest=true saml=true sse=true tunnel=true view-vlsi=true view-vlsi-rest=true
allowMethod...	http-method-name	GET,HEAD,POST	health=GET,HEAD misc =GET,HEAD rest=GET,POST,PUT, PATCH,DELETE saml =GET,HEAD sse=GET,POST tunnel=GET,POST
allowPreflight	true false	true	n/a
maxAge	cache-time	0	n/a
balancedHost	load-balancer-name	OFF	n/a
portalHost...	gateway-name	OFF	n/a
chromeExtension...	chrome-extension-hash	ppkfnjlimknmjoaemnpidmdlfchhehel Note: This value is the Chrome extension ID for Horizon Client for Chrome.	n/a

Following are examples of CORS properties in the locked.properties file.

enableCORS = true
allowPreflight = true
checkOrigin = true
checkOrigin-misc = false
allowMethod.1 = GET
allowMethod.2 = HEAD
allowMethod.3 = POST
allowMethod-saml.1 = GET
allowMethod-saml.2 = HEAD
acceptContentType.1 = application/x-www-form-urlencoded
acceptContentType.2 = application/xml
acceptContentType.3 = text/xml

Origin Checking

Origin checking is enabled by default. When it is enabled, a request is accepted only without an Origin, or with an Origin equal to the address that the External URL specifies, to the balancedHost address, to any portalHost address, to any chromeExtension hash, to null, or to localhost. If Origin is not one of these possibilities, an "Unexpected Origin" error is logged and a status of 404 is returned.

Note: Some browsers do not provide an Origin header, or do not always provide one. Optionally, the Referer header in a request can be checked in the absence of an Origin header. The Referer header has one "r" in header name. To check the Referer header, add the following property to the locked.properties file:

checkReferer=true

If multiple Connection Server hosts are load balanced, you must specify the load balancer address by adding a balancedHost entry to the locked.properties file. Port 443 is assumed for this address.

If clients connect through a Unified Access Gateway appliance or another gateway, you must specify all the gateway addresses by adding portalHost entries to the locked.properties file. Port 443 is assumed for these addresses. You must also specify portalHost entries to provide access to a Connection Server host by a name that is different from the name that the External URL specifies.

Chrome extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to the locked.properties file. For example:

chromeExtension.1=bpifadopbphhpkkcfohecfadckmpjmjd