github.com/projectcontour/contour@v1.28.2/site/content/docs/1.20/config/cors.md (about) 1 # CORS 2 3 A CORS (Cross-origin resource sharing) policy can be set for a HTTPProxy in order to allow cross-domain requests for trusted sources. 4 If a policy is set, it will be applied to all the routes of the virtual host. 5 6 Contour allows configuring the headers involved in cross-domain requests. 7 In this example, cross-domain requests will be allowed for any domain (note the `*` value). 8 9 ```yaml 10 apiVersion: projectcontour.io/v1 11 kind: HTTPProxy 12 metadata: 13 name: cors-example 14 spec: 15 virtualhost: 16 fqdn: www.example.com 17 corsPolicy: 18 allowCredentials: true 19 allowOrigin: 20 - "*" # allows any origin 21 allowMethods: 22 - GET 23 - POST 24 - OPTIONS 25 allowHeaders: 26 - authorization 27 - cache-control 28 exposeHeaders: 29 - Content-Length 30 - Content-Range 31 maxAge: "10m" # preflight requests can be cached for 10 minutes. 32 routes: 33 - conditions: 34 - prefix: / 35 services: 36 - name: cors-example 37 port: 80 38 ``` 39 40 In the following example, cross-domain requests are restricted to `https://client.example.com` only. 41 42 ```yaml 43 apiVersion: projectcontour.io/v1 44 kind: HTTPProxy 45 metadata: 46 name: cors-example 47 spec: 48 virtualhost: 49 fqdn: www.example.com 50 corsPolicy: 51 allowCredentials: true 52 allowOrigin: 53 - "https://client.example.com" 54 allowMethods: 55 - GET 56 - POST 57 - OPTIONS 58 allowHeaders: 59 - authorization 60 - cache-control 61 exposeHeaders: 62 - Content-Length 63 - Content-Range 64 maxAge: "10m" 65 routes: 66 - conditions: 67 - prefix: / 68 services: 69 - name: cors-example 70 port: 80 71 ``` 72 73 `MaxAge` durations are expressed in the Go [duration format](https://godoc.org/time#ParseDuration). 74 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Only positive values are allowed and 0 disables the cache requiring a preflight `OPTIONS` check for all cross-origin requests.