Skip to main content
Skip table of contents

CORS adjustment on VISULOX Gateway

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request.
In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.

For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts.
This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.

To protect requests in VISULOX with an origin HTTP the following adjustments have to be done on VISULOX Gateways.
The internal and the external site URLs must be registered in httpd-gateway-rest.conf and httpd.conf.

httpd-gateway-rest.conf

CODE 
/opt/SUNWsgdg/httpd/httpd-default/conf/extra/gateway/httpd-gateway-rest.conf

<Location "/sgdadmin">
    # Reject any ; path delimiter under the /sgdadmin path
    RewriteEngine on
    RewriteCond "%{REQUEST_URI}" ".*[;].*"
    RewriteRule "^.*$" - [R=404,L]
</Location>

AllowEncodedSlashes NoDecode

### Add this and edit the site urls
<Location "/api">
    # Reject any origin not allowed under the /api path
    RewriteEngine on
    RewriteCond "%{HTTP:Origin}" "!^($|https\:\/\/site1\.com|https\:\/\/site2\.de|https\:\/\/site3\.com)"
    RewriteRule "^.*$" - [R=403,L]
</Location>
### Add end

ProxyPass / balancer://mysgdservers/ lbmethod=byrequests stickysession=balanceid nocanon

httpd.conf

CODE 
/opt/SUNWsgdg/httpd/httpd-default/conf/httpd.conf
<IfModule headers_module>
    Header set Content-Security-Policy "frame-ancestors 'self'"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "same-origin"
    Header set X-Content-Type-Options "nosniff"
    Header set Strict-Transport-Security "max-age=31536000;"

### Add this and edit the site urls
<If "!(%{HTTP:Origin} in { 'https://host.domain', 'https://site1', 'https://site2.de', 'https://site3.com' })">
    Header unset Access-Control-Allow-Origin
    Header unset Access-Control-Allow-Credentials
</If>
### Add end

</IfModule>
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close