Forum Discussion

kouriada_284551's avatar
kouriada_284551
Icon for Nimbostratus rankNimbostratus
Oct 03, 2018

Access-control-allow-origin changing according domains

Hi guys,

 

I would like to ask about your help.

 

I have to apply multiple Access-control-allow-origin for particular domains via irule

 

 

Description of the task is something like this:

 

When a client is going from domain A to source portal, the response should containt header Access-control-allow-origin domain A

 

When a client is going from domain B to source portal, the response should containt header Access-control-allow-origin domain B

 

etc

 

 

I need to see only header which contain particular domain * which I came from as a client

 

 

I was able to create only this:

 

when HTTP_RESPONSE {

 

if !{[HTTP::header exists "Access-Control-Allow-Origin"]} {

 

HTTP::header insert Access-Control-Allow-Origin "domain A"

 

HTTP::header insert Access-Control-Allow-Origin "domain B"

 

HTTP::header insert Access-Control-Allow-Origin "domain C"} }

 

but it doesnt do what I need and I am not able to create some conditional in that irule for particular domain and I see all CORS headers in one time via curl

 

I have been trying to do this via policy but, it seems to me that it doesnt work as well

 

I appreciate any help

 

AK

 

3 Replies

  • Hi

     

    How are you determining if a client originates from domainA or domainB - are they coming from a particular subnet for instance?

     

  • Hi,

     

    client will come from particular web page( where will be login page into source web page), so I can determine that according particular fqdn of that domainA or B

     

     

    I have been thinking that I could solve that like this: *.domainA, *.domainB and add those *.domains to Data groupe list and write something like this: if { ! [class match $act_uri contains allow_domains] and that the particular domain will be added to Access-Control-Allow-Origin *.domainA or *.domainB according client comes from

     

    or just write it down into couple simple irules, theoreticaly:

     

     

    *for .domainA:

     

    http:Request

     

    if http: host equal domainA

     

    than

     

    http response:

     

    http:header Access-Control-Allow-Origin domainA<>br

     

    *for .domainB:

     

    http:Request

     

    if http: host equal domainA

     

    than

     

    http response:

     

    http:header Access-Control-Allow-Origin domainA<>br

     

    etc

     

     

    make it sense?

     

    I am not strong enough in writing of irules

     

     

    AK

     

  • Hello,

     

    you can use this share code ( Rory Hewitt 😞

     

    https://devcentral.f5.com/codeshare/cors-implementation

     

     Domains that are allowed to make cross-domain calls to example.com
    class allowed_origins {
        ".example.com"
        ".example2.com"
        ".goodpartner.com"
    }
    
    when HTTP_REQUEST {
        unset -nocomplain cors_origin
        if { [class match [HTTP::header Origin] ends_with allowed_origins] } {
            if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } {
                 CORS preflight request - return response immediately
                HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \
                                  "Access-Control-Allow-Methods" [HTTP::header "Access-Control-Request-Method"] \
                                  "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \
                                  "Access-Control-Max-Age" "86400" \
                                  "Vary" "Origin"
            } else {
                 CORS GET/POST requests - set cors_origin variable
                set cors_origin [HTTP::header "Origin"]
            }
        }
    }
    
    when HTTP_RESPONSE {
         CORS GET/POST response - check cors_origin variable set in request
        if { [info exists cors_origin] } {
            HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
            HTTP::header insert "Access-Control-Allow-Credentials" "true"
            HTTP::header insert "Vary" "Origin"
        }
    }