Skip to content

CORS mechanism

Concept Description

Cross-Origin Resource Sharing (CORS) allows Web servers to perform cross-domain access, enabling browsers to more securely transfer data across domains.

Scenario

When the user needs to send REST requests across the origin webserver, the CORS mechanism may be used. The microservices that receive cross-domain requests need to enable CORS support.

Configuration instructions

The CORS function is configured in the microservice.yaml file. The configuration items are described in the following table.

| Configuration Item | Default Value | Range of Value | Required | Meaning | | :--- | :--- | :--- | :--- | :--- | :--- | | servicecomb.cors.enabled | false | true/false | No | Whether to enable CORS function | - | | servicecomb.cors.origin | * | - | No | Access-Control-Allow-Origin | - | | servicecomb.cors.allowCredentials | false | true/false | No | Access-Control-Allow-Credentials | According to the CORS standard, when Access-Control-Allow-Credentials is set to true, Access- Control-Allow-Origin cannot be set to "*", otherwise an exception will be thrown | | servicecomb.cors.allowedHeader | None | - | No | Access-Control-Allow-Headers | Multiple values ​​separated by commas | | servicecomb.cors.allowedMethod | None | - | No | Access-Control-Allow-Methods | Multiple values ​​separated by commas | | servicecomb.cors.exposedHeader | None | - | No | Access-Control-Expose-Headers | Multiple values ​​separated by commas | | servicecomb.cors.maxAge | None | (0,2147483647], Integer | No | Access-Control-Max-Age | The unit is seconds. If the user does not configure this, there is no Access-Control-Max in the CORS response. Age |

Sample Code

servicecomb:
  cors:
    enabled: true
    origin: "*"
    allowCredentials: false
    allowedMethod: PUT,DELETE
    maxAge: 3600