Skip to main content
Version: 7.2405.x.x LTS

Cross Origin Resource Sharing

In case your backend does not support Cross Origin Resource Sharing (CORS), the delivered nevisProxy package contains two examples for some simple CORS setups implemented in Lua.

The examples should be used for testing only and are not supported. CORS is a feature that should be implemented by the backend itself.

note

We highly recommend enabling CORS support in your backends. :

Example 1

/opt/nevisproxy/examples//WAF/cors_simple_request_via_lua.example

<!--
NevisProxy configuration example

a CORS implementaion for simple requests written in Lua
-->

<!--
Description

This sample shows how a LuaFilter can be implemented to allow CORS for simple requests.
To work correctly, you may have to allow the method 'OPTIONS' and 'PUT" in the allowedMethods parameter (navajo.xml).
Use this filter if your backend does not support CORS, but we strongly recommend to update you backend to support CORS.

-->

<filter>
<filter-name>SimpleRequestCORSFilter</filter-name>
<filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
<init-param>
<param-name>Script</param-name>
<param-value>
function outputHeader(request, response)
if request:getHeader("Origin") then
-- the response header "Access-Control-Allow-Origin" is mandatory.
-- it says which domains are allowed to access the page
-- with '*' all domains are allowed
-- set it to 'mydomain.ch' to allow only the domain 'mydomain.ch'
response:setHeader("Access-Control-Allow-Origin", "*")
end
end
</param-value>
</init-param>
<init-param>
<param-name>Script.OutputHeaderFunctionName</param-name>
<param-value>outputHeader</param-value>
</init-param>
</filter>

Example 2

/opt/nevisproxy/examples//WAF/cors_preflighted_request_via_lua.example

<!--
NevisProxy configuration example

a CORS implementaion for preflighted requests written in Lua
-->

<!--
Description

This sample shows how a LuaFilter can be implemented to allow CORS for preflighted requests.
To work correctly, you may have to allow the method 'OPTIONS' and 'PUT" in the allowedMethods parameter (navajo.xml).
Use this filter if your backend does not support CORS, but we strongly recommend to update you backend to support CORS.

-->

<filter>
<filter-name>PreflightedRequestCORSFilter</filter-name>
<filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
<init-param>
<param-name>Script</param-name>
<param-value>
function inputHeader(request, response)
if request:getMethod() == "OPTIONS" then
-- the response header "Access-Control-Allow-Origin" is mandatory.
-- it says which domains are allowed to access the page
-- with '*' all domains are allowed
-- set it to 'mydomain.ch' to allow only the domain 'mydomain.ch'
response:setHeader("Access-Control-Allow-Origin", "*")
-- the remaining response header are optional. See the CORS documentation for further detail
response:setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT")
response:setHeader("Access-Control-Allow-Credentials", "true")
response:setHeader("Access-Control-Allow-Headers", "Authorization")
response:setHeader("Access-Control-Expose-Headers", "*")
response:setHeader("Access-Control-Max-Age", "1800")
-- this request does not reach the backend. We just tell the browser what we allow so that it can
-- organize the following requests
response:setHeader("Content-Type", "text/html")
response:send(200)
end
end
</param-value>
</init-param>
<init-param>
<param-name>Script.InputHeaderFunctionName</param-name>
<param-value>inputHeader</param-value>
</init-param>
</filter>