github.com/projectcontour/contour@v1.28.2/site/content/docs/1.25/config/cors.md

github.com/projectcontour/contour@v1.28.2/site/content/docs/1.25/config/cors.md (about)

     1  # CORS
     2  
     3  A CORS (Cross-origin resource sharing) policy can be set for a HTTPProxy in order to allow cross-domain requests for trusted sources.
     4  If a policy is set, it will be applied to all the routes of the virtual host.
     5  
     6  Contour allows configuring the headers involved in responses to cross-domain requests.
     7  These include the `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`, `Access-Control-Allow-Headers`, `Access-Control-Expose-Headers`, `Access-Control-Max-Age`, `Access-Control-Allow-Private-Network` and `Access-Control-Allow-Credentials` headers in responses.
     8  
     9  In this example, cross-domain requests will be allowed for any domain (note the `*` value), with the methods `GET`, `POST`, or `OPTIONS`.
    10  Headers `Authorization` and `Cache-Control` will be passed to the upstream server and headers `Content-Length` and `Content-Range` will be made available to the cross-origin request client.
    11  
    12  ```yaml
    13  apiVersion: projectcontour.io/v1
    14  kind: HTTPProxy
    15  metadata:
    16    name: cors-example
    17  spec:
    18    virtualhost:
    19      fqdn: www.example.com
    20      corsPolicy:
    21          allowCredentials: true
    22          allowPrivateNetwork: true
    23          allowOrigin:
    24            - "*" # allows any origin
    25          allowMethods:
    26            - GET
    27            - POST
    28            - OPTIONS
    29          allowHeaders:
    30            - authorization
    31            - cache-control
    32          exposeHeaders:
    33            - Content-Length
    34            - Content-Range
    35          maxAge: "10m" # preflight requests can be cached for 10 minutes.
    36    routes:
    37      - conditions:
    38        - prefix: /
    39        services:
    40          - name: cors-example
    41            port: 80
    42  ```
    43  
    44  The `allowOrigin` list may also be configured with exact origin matches or regex patterns.
    45  In the following example, cross-domain requests must originate from the domain `https://client.example.com` or domains that match the regex `http[s]?:\/\/some-site-[a-z0-9]+\.example\.com` (e.g. request with `Origin` header `https://some-site-abc456.example.com`)
    46  
    47  *Note:* Patterns for matching `Origin` headers must be valid regex, simple "globbing" patterns (e.g. `*.foo.com`) will not be accepted or may produce incorrect matches.
    48  
    49  ```yaml
    50  apiVersion: projectcontour.io/v1
    51  kind: HTTPProxy
    52  metadata:
    53    name: cors-example
    54  spec:
    55    virtualhost:
    56      fqdn: www.example.com
    57      corsPolicy:
    58          allowCredentials: true
    59          allowOrigin:
    60            - https://client.example.com
    61            - http[s]?:\/\/some-site-[a-z0-9]+\.example\.com
    62          allowMethods:
    63            - GET
    64            - POST
    65            - OPTIONS
    66          allowHeaders:
    67            - authorization
    68            - cache-control
    69          exposeHeaders:
    70            - Content-Length
    71            - Content-Range
    72          maxAge: "10m"
    73    routes:
    74      - conditions:
    75        - prefix: /
    76        services:
    77          - name: cors-example
    78            port: 80
    79  ```
    80  
    81  `MaxAge` durations are expressed in the Go [duration format](https://godoc.org/time#ParseDuration).
    82  Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Only positive values are allowed and 0 disables the cache requiring a preflight `OPTIONS` check for all cross-origin requests.