github.com/projectcontour/contour@v1.28.2/site/content/docs/v1.15.2/config/cors.md (about) 1 # CORS 2 3 A CORS (Cross-origin resource sharing) policy can be set for a HTTPProxy in order to allow cross-domain requests for trusted sources. 4 If a policy is set, it will be applied to all the routes of the virtual host. 5 6 Contour allows configuring the headers involved in cross-domain requests. 7 In this example, cross-domain requests will be allowed for any domain (note the `*` value). 8 9 ```yaml 10 apiVersion: projectcontour.io/v1 11 kind: HTTPProxy 12 spec: 13 virtualhost: 14 fqdn: www.example.com 15 corsPolicy: 16 allowCredentials: true 17 allowOrigin: 18 - "*" # allows any origin 19 allowMethods: 20 - GET 21 - POST 22 - OPTIONS 23 allowHeaders: 24 - authorization 25 - cache-control 26 exposeHeaders: 27 - Content-Length 28 - Content-Range 29 maxAge: "10m" # preflight requests can be cached for 10 minutes. 30 routes: 31 - conditions: 32 - prefix: / 33 services: 34 - name: s1 35 port: 80 36 ``` 37 38 In the following example, cross-domain requests are restricted to `https://client.example.com` only. 39 40 ```yaml 41 apiVersion: projectcontour.io/v1 42 kind: HTTPProxy 43 spec: 44 virtualhost: 45 fqdn: www.example.com 46 corsPolicy: 47 allowCredentials: true 48 allowOrigin: 49 - "https://client.example.com" 50 allowMethods: 51 - GET 52 - POST 53 - OPTIONS 54 allowHeaders: 55 - authorization 56 - cache-control 57 exposeHeaders: 58 - Content-Length 59 - Content-Range 60 maxAge: "10m" 61 routes: 62 - conditions: 63 - prefix: / 64 services: 65 - name: s1 66 port: 80 67 ``` 68 69 `MaxAge` durations are expressed in the Go [duration format](https://godoc.org/time#ParseDuration). 70 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Only positive values are allowed and 0 disables the cache requiring a preflight `OPTIONS` check for all cross-origin requests.