Cross-Origin Resource Sharing (CORS) Support

The web reverse proxy can be configured to support cross-origin resource sharing.

Cross-origin resource sharing allows the web reverse proxy to indicate to clients that it permits clients to make cross-origin requests to resources which it protects. The web reverse proxy acts a resource processor as defined in the W3C recommendation Cross-Origin Resource Sharing. Cross-origin resource sharing is achieved by indicating to clients using a pre-flight check they might make cross-origin requests and on subsequent cross-origin requests how they are permitted to use any responses returned. Cross-origin resource sharing should not be considered a security enforcement mechanism for protecting resources. A malicious client can bypass all cross-origin resource sharing processing by simply not performing a pre-flight check or by not including an accurate origin header when making cross origin requests.

• Configure CORS Policies
  CORS Policies can be configured by creating a [cors-policy:<policy name>] stanza in the web reverse proxy configuration file.
• Process Common to Pre-Flight Check and Regular Cross-Origin Requests
  To determine which origins should be permitted to make cross-origin requests, the web reverse proxy uses the configured list of allowed origins for the matched policy.
• CORS Error Response
  If CORS processing fails, the web reverse proxy returns an error response with the CORS error code.
• Simple Methods and Headers
  

Parent topic: Web server configuration

Related concepts

• Content caching
• Communication protocol configuration
• IPv4 and IPv6 overview
• IPv6: Compatibility support
• IP levels for credential attributes
• LDAP directory server configuration
• WebSEAL worker thread configuration
• WebSEAL worker threads
• Global allocation of worker threads for junctions
• Per-junction allocation of worker threads for junctions
• HTTP data compression
• WebSEAL data handling by using UTF-8
• UTF-8 dependency on user registry configuration
• UTF-8 data conversion issues
• UTF-8 impact on authentication
• UTF-8 impact on authorization (dynamic URL)
• Encoding type usage
• UTF-8 support for uniform resource locators
• UTF-8 support in POST body information (forms)
• UTF-8 support in query strings
• UTF-8 encoding of tokens for cross domain single signon
• UTF-8 encoding of tokens for e-community single signon
• UTF-8 encoding of cookies for failover authentication
• UTF-8 encoding of cookies for LTPA authentication
• UTF-8 encoding in junction requests
• Validation of character encoding in request data
• Set system environment variables

Related tasks

• Specify the WebSEAL host name
• Modifying the configuration file settings
• Configure WebSEAL for IPv6 and IPv4 requests

Related reference

• IPv6: Upgrade notes
• Allocation view of worker threads for junctions
• Supported wildcard pattern matching characters