This article describes the introduction and processes of integrating CORS preflight caching with the CA API Gateway. Sample policies and documentation are attached to this document.
Cross-origin resource sharing (CORS) is a mechanism that allows resources (such as fonts, images, or multimedia) on a web page to be requested from another domain outside the domain from which the resource originated. CORS defines a way in which a browser and server can interact to safely determine whether or not to allow the cross-origin request.
Open Web Application Security Project (OWASP) has identified a risk in the Cross-Origin Resource Sharing (CORS) request preflight process. Transmittal of CORS requests is handled by the client application used by the service consumer. A user could craft and send an HTTP request that does not use an allowed HTTP method or body. The CORS mechanism provides client and server applications with a protocol for engaging in a "preflight" exchange the determines what domains can request data and what HTTP methods are permitted. This exchange is typically executed using an HTTP request with the OPTIONS method. A CORS-compliant server application can respond with several CORS-specific headers that can inform the browser whether the application can request a specific resource.
The use of the preflight exchange is completely dependent upon the client application sending a preflight OPTIONS request. A client application can send an HTTP request to a service without previously sending the first request for preflight in an attempt to interact with the service and server in a malicious manner. The CORS policy implementation in the API Gateway is designed to provide a configurable proxy for web services and applications to mitigate abuse of CORS preflight processes by caching preflight requests and validating that subsequent requests correlate to an existing preflight request.
Installation notes and more detailed information with example policies can be found in the compressed archive attached to this article. Downloading and extracting the contents of the archive will provide the following items:
- CORS Preflight Cache Service policy
- CORS Processor policy
- Example Company policy
- Managing CORS Preflight Scrutiny in Layer 7 Policy
As of Gateway 9.1 the 'Process CORS Requests' assertion supersedes this article.