The Cross-Origin Resource Sharing (CORS) feature regulates client-side cross-origin requests by providing policy statements to the client on demand and by checking requests for compliance with the policy. This feature can be configured and enabled if required.

Policies include the set of HTTP methods that can be accepted, where requests can originate, and which content types are valid. These policies vary according to the request URL, and can be reconfigured as needed by adding entries to the locked.properties file.

An ellipsis after a property name indicates that the property can accept a list.

Table 1. CORS Properties
Property Value Type Primary Default Other Defaults
enableCORS true

false

true n/a
acceptContentType... http-content-type application/x-www-form-urlencoded,application/xml,text/xml admin=application/json,application/text,application/x-www-form-urlencoded

portal=application/json

rest=application/json

sse=application/json

view-vlsi-rest=application/json

acceptHeader... http-header-name * admin=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Cache-Control,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrftoken,DNT,Host,Origin,Referer,User-Agent

broker=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,Gateway-Location,Gateway-Name,Gateway-Type,Host,Origin,Referer,User-Agent,X-CSRF-Token,X-EUC-Gateway,X-EUC-Health,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Proto

portal=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,Host,Origin,Referer,User-Agent,X-CSRF-Token

rest=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege

view-vlsi=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege

view-vlsi-rest=Accept,Accept-Encoding,Accept-Charset,Accept-Language,Authorization,Connection,Content-Language,Content-Length,Content-Type,Cookie,csrfToken,Host,Origin,Referer,User-Agent,X-Require-Cloud-Admin-Privilege

exposeHeader... http-header-name * n/a
filterHeaders true

false

true n/a
checkOrigin true

false

true n/a
checkReferer true

false

false n/a
allowCredentials true

false

false admin =true

broker=true

health=true

misc =true

portal=true

rest=true

saml=true

sse=true

tunnel=true

view-vlsi=true

view-vlsi-rest=true

allowMethod... http-method-name GET,HEAD,POST health=GET,HEAD

misc =GET,HEAD

rest=GET,POST,PUT, PATCH,DELETE

saml =GET,HEAD

sse=GET,POST

tunnel=GET,POST

allowPreflight true

false

true n/a
maxAge cache-time 0 n/a
balancedHost... load-balancer-name OFF n/a
portalHost... gateway-name OFF n/a
chromeExtension... chrome-extension-hash ppkfnjlimknmjoaemnpidmdlfchhehel
Note: This value is the Chrome extension ID for Horizon Client for Chrome.
n/a

Following are examples of CORS properties in the locked.properties file.

enableCORS = true
allowPreflight = true
checkOrigin = true
checkOrigin-misc = false
allowMethod.1 = GET
allowMethod.2 = HEAD
allowMethod.3 = POST
allowMethod-saml.1 = GET
allowMethod-saml.2 = HEAD
acceptContentType.1 = application/x-www-form-urlencoded
acceptContentType.2 = application/xml
acceptContentType.3 = text/xml

Origin Checking

Origin checking is enabled by default. When it is enabled, a request is accepted only without an Origin, or with an Origin equal to the address that the External URL specifies, to any balancedHost address, to any portalHost address, to any chromeExtension hash, to null, or to localhost. If Origin is not one of these possibilities, an "Unexpected Origin" error is logged and a status of 404 is returned.

Note: Some browsers do not provide an Origin header, or do not always provide one. Optionally, the Referer header in a request can be checked in the absence of an Origin header. The Referer header has one "r" in header name. To check the Referer header, add the following property to the locked.properties file:
checkReferer=true

If multiple Connection Server hosts are load balanced, you must specify the load balancer address by adding a balancedHost entry to the locked.properties file. Port 443 is assumed for this address.

If clients connect through a Unified Access Gateway appliance or another gateway, you must specify all the gateway addresses by adding portalHost entries to the locked.properties file. Port 443 is assumed for these addresses. You must also specify portalHost entries to provide access to a Connection Server host by a name that is different from the name that the External URL specifies.

Chrome extension clients set their initial Origin to their own identity. To allow connections to succeed, register the extension by adding a chromeExtension entry to the locked.properties file. For example:
chromeExtension.1=bpifadopbphhpkkcfohecfadckmpjmjd 

See also Host Checking.