Expand all | Collapse all

Question around CORS support

  • 1.  Question around CORS support

    Posted 5 days ago
    We are trying to set CORS headers , Access-Control-Allow-Origin = * in below section, is there a way to specify multiple domains instead of star? is there a way to handle or set this using HTTP Transformation? FYI- CORS spec is not allowing to set multiple domains


    # This stanza is used to define static HTTP headers which will be added
    # to every HTTP response from the WebSEAL server. This will provide the
    # administrator with the ability to insert some standard security headers
    # into the response, such as strict-transport-security,
    # content-security-policy and x-frame-options.
    # Please note that the headers which are defined in this stanza will replace
    # any matching headers which might have been added to the response by a
    # junctioned application.
    # If multiple headers of the same name are specified in this stanza all
    # but the last of the matching entries will be ignored.
    # The format of each entry in this stanza is:
    # <header-name> = <header-value>
    # For example,
    # strict-transport-security = max-age=31536000; includeSubDomains
    # A special <header-value> of '%SESSION_EXPIRY%' can be used to
    # designate a header which will contain the remaining length of time, in
    # seconds, before the current local session expires. This value does not
    # include the overall session timeout for sessions which are managed by
    # the distributed session cache (DSC), but just the length of time before
    # the session expires in the local cache.
    # For example:
    # session-timeout = %SESSION_EXPIRY%
    Access-Control-Allow-Origin = *

    Sairam Durgaraju


  • 2.  RE: Question around CORS support

    Posted 5 days ago

    The 'rsp-header-names' configuration entry is only designed to allow static headers to be inserted.  So, if you only have a single domain, or wish to allow all domains, you can use this configuration entry.  However, if you have more than one domain your only current option is to use HTTP transformation rules.  However, one issue with using HTTP transformation rules is that you have to create a 'response' transformation rule in order to set the response header, and the original HTTP request is not accessible from a 'response' transformation rule.  This means that you can't use the host header (or anything else from the request) when determining what value to set for the Access-Control-Allow-Origin header.  We currently plan to remove this restriction in the next release (due to be released towards the middle of the year).



    Scott Exton
    Gold Coast