Skip to content

skommaSFDC/mule-cors-policy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits

src

src

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

mule-artifact.json

mule-artifact.json

 
 

pom.xml

pom.xml

 
 

Repository files navigation

mule-cors-policy

CORS interceptor on Mule API http listener

CORS (Cross-origin resource sharing) is a standard mechanism that allows JavaScript XMLHttpRequest (XHR) calls executed in a web page to interact with resources from non-origin domains.CORS is a commonly implemented solution to the "same-origin policy" that is enforced by all browsers.

MuleSoft documentation: https://docs.mulesoft.com/api-manager/2.x/cors-policy

The CORS algorithm works on the web server and on the client-side for the web page that requested the information.

  • A preflight is a preliminary request (using OPTIONS as the HTTP method) from the web browser to the backend server to test the identity (origin and a few other headers) of the web page that is trying to perform the request.
  • If the backend does not accept the origin, the backend server responds to the request without a specific header (Access-Control-Allow-Origin). The client then understands that the page’s origin is not allowed in that server and does not execute the actual request.

So in some cases, for instance, GET with custom headers and/or POST, when you invoke GET or POST endpoint, browser issues a preflight request first and only then the actual service call once preflight passes CORS test

CORS support for Mule Apps can be added either as CORS Interceptor at http listener config level at the application level OR can be enforced thru API Manager via CORS policy. Even when you apply using API Manager, you can apply directly on the implementation API (via auto-discovery) or at the Proxy layer on top of implementation layer.

Browser automatically passes Origin header with the value of its domain. When preflight request is invoked, it is issued with the following request headers:

  • Origin: The origin making the cross origin request.
  • Access-Control-Request-Method: The method that is invoked in the actual request. is sent in the preflight request.
  • Access-Control-Request-Headers: Custom headers that are sent in the actual request.

If that domain is configured to be one of the accepted origins CORS interceptor/policy, requested method is supported, and request headers are supported - then response header access-control-allow-origin populated with the value of the domain sent in the request.

In http listener config, configuration of CORS interceptor looks like this with one or more domains from which requests to the API are accepted:

image

In the API Manager, CORS Policy is as shown below

image

Used POSTMAN to test it and invoked OPTIONS method with the above three headers

Successful Test. Returns access-control-allow-origin header

image

Failed test. Does not return access-control-allow-origin header

image

About

CORS interceptor on Mule API http listener

Topics

api mulesoft api-manager mule mule4 cors-policy cors-interceptor

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published