Process Common to Pre-Flight Check and Regular Cross-Origin Requests

To determine which origins should be permitted to make cross-origin requests, the web reverse proxy uses the configured list of allowed origins for the matched policy.

It is also possible to allow cross-origin requests from any origin by explicitly setting '*' as an allowed origin. See allow-origin.

Evaluating Access-Control-Allow-Origin

The web reverse proxy indicates to clients if an origin is permitted to make cross origin requests using the Access-Control-Allow-Origin header.

If the web reverse proxy is configured to allow all origins, any origin presented by the client in the origin header is returned. The web reverse proxy will never return this header with a value of '*'.

If the web reverse proxy is configured to allow some origins, the origin header presented by the client is evaluated against the list of configured allow origins. If the origin is permitted, the origin presented by the client in the origin header is returned. If the origin is not permitted, the web reverse proxy returns the CORS error response. See CORS Error Response.

Request Headers Response from policy containing:

allow-origin = https://test.ibm.com

Response from policy containing:

allow-origin = *

...

Origin: https://test.ibm.com

...

(Configured origin)

...

Access-Control-Allow-Origin: https://test.ibm.com

...

...

Access-Control-Allow-Origin: https://test.ibm.com

...

...

Origin: https://test2.ibm.com

...

(Not a configured origin)

CORS Error Response ...

Access-Control-Allow-Origin: https://test2.ibm.com

...

Evaluating Access-Control-Allow-Credentials

For both pre-flight responses and regular cross origin requests, the web reverse proxy includes the Access-Control-Allow-Credentials header with a value of true if it is enabled in the matching policy. See allow-credentials.

Parent topic: Cross-Origin Resource Sharing (CORS) Support