github.com/projectcontour/contour@v1.28.2/site/content/docs/1.24/config/cors.md

github.com/projectcontour/contour@v1.28.2/site/content/docs/1.24/config/cors.md (about)

     1  # CORS
     2  
     3  A CORS (Cross-origin resource sharing) policy can be set for a HTTPProxy in order to allow cross-domain requests for trusted sources.
     4  If a policy is set, it will be applied to all the routes of the virtual host.
     5  
     6  Contour allows configuring the headers involved in responses to cross-domain requests.
     7  These include the `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`, `Access-Control-Allow-Headers`, `Access-Control-Expose-Headers`, `Access-Control-Max-Age`, and `Access-Control-Allow-Credentials` headers in responses.
     8  
     9  In this example, cross-domain requests will be allowed for any domain (note the `*` value), with the methods `GET`, `POST`, or `OPTIONS`.
    10  Headers `Authorization` and `Cache-Control` will be passed to the upstream server and headers `Content-Length` and `Content-Range` will be made available to the cross-origin request client.
    11  
    12  ```yaml
    13  apiVersion: projectcontour.io/v1
    14  kind: HTTPProxy
    15  metadata:
    16    name: cors-example
    17  spec:
    18    virtualhost:
    19      fqdn: www.example.com
    20      corsPolicy:
    21          allowCredentials: true
    22          allowOrigin:
    23            - "*" # allows any origin
    24          allowMethods:
    25            - GET
    26            - POST
    27            - OPTIONS
    28          allowHeaders:
    29            - authorization
    30            - cache-control
    31          exposeHeaders:
    32            - Content-Length
    33            - Content-Range
    34          maxAge: "10m" # preflight requests can be cached for 10 minutes.
    35    routes:
    36      - conditions:
    37        - prefix: /
    38        services:
    39          - name: cors-example
    40            port: 80
    41  ```
    42  
    43  The `allowOrigin` list may also be configured with exact origin matches or regex patterns.
    44  In the following example, cross-domain requests must originate from the domain `https://client.example.com` or domains that match the regex `http[s]?:\/\/some-site-[a-z0-9]+\.example\.com` (e.g. request with `Origin` header `https://some-site-abc456.example.com`)
    45  
    46  *Note:* Patterns for matching `Origin` headers must be valid regex, simple "globbing" patterns (e.g. `*.foo.com`) will not be accepted or may produce incorrect matches.
    47  
    48  ```yaml
    49  apiVersion: projectcontour.io/v1
    50  kind: HTTPProxy
    51  metadata:
    52    name: cors-example
    53  spec:
    54    virtualhost:
    55      fqdn: www.example.com
    56      corsPolicy:
    57          allowCredentials: true
    58          allowOrigin:
    59            - https://client.example.com
    60            - http[s]?:\/\/some-site-[a-z0-9]+\.example\.com
    61          allowMethods:
    62            - GET
    63            - POST
    64            - OPTIONS
    65          allowHeaders:
    66            - authorization
    67            - cache-control
    68          exposeHeaders:
    69            - Content-Length
    70            - Content-Range
    71          maxAge: "10m"
    72    routes:
    73      - conditions:
    74        - prefix: /
    75        services:
    76          - name: cors-example
    77            port: 80
    78  ```
    79  
    80  `MaxAge` durations are expressed in the Go [duration format](https://godoc.org/time#ParseDuration).
    81  Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Only positive values are allowed and 0 disables the cache requiring a preflight `OPTIONS` check for all cross-origin requests.