Share via

CORS and Preflight responses in APIM

Nagashree Balasundaram 741 Reputation points
2022-09-19T17:43:54.3+00:00

Hi,
I am trying to handle preflight responses in APIM using the in-built <cors> policy
I have the <cors> policy configured as below on the inbound 

<cors>  
 <allowed-origins>  
 <origin>https://demo4.myori.com</origin>  
 <origin>http://localhost:4200</origin>  
 <origin>https://localhost:44346</origin>  
 </allowed-origins>  
 <allowed-methods>  
 <method>GET</method>  
 <method>POST</method>  
 <method>PUT</method>  
 <method>DELETE</method>  
 </allowed-methods>  
 <allowed-headers>  
 <header>*</header>  
 </allowed-headers>  
 </cors>

When a preflight request is received, only the Access-Control-Allow_Origin header is set. The Access-Control-Allow-Methods and Access-Control-Allow-Headers are not set. Is there something that needs to be done explicitly to handle this.242664-apim-cors-response.jpg

Additional Details:
I have defined an operation for OPTIONS with route /*, removed <base/> for backend in this operation. This is to prevent the request from getting forwarded to the backend. The backend doesnt handle OPTIONS requests, if fwded to the backend a 404 error is seen.
On the outbound for All Operations, the set-header policy to set the preflight headers are configured. However, those are not set. 

<set-header name="Access-Control-Allow-Origin" exists-action="override">  
            <value>@(context.Request.Headers.GetValueOrDefault("Origin",""))</value>  
        </set-header>  
        <set-header name="Access-Control-Allow-Headers" exists-action="override">  
            <value>*</value>  
        </set-header>  
        <set-header name="Access-Control-Allow-Methods" exists-action="override">  
            <value>*</value>  
        </set-header>
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,455 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator
    2022-09-19T21:28:55.403+00:00

    @Nagashree Balasundaram Thank you for reaching out to Microsoft Q&A. The headers Access-Control-Allow-Methods and Access-Control-Allow-Headers are set if request has Access-Control-Request-Headers and Access-Control-Request-Method respectively and you can refer docs: Access-Control-Request-Headers & Access-Control-Request-Method as well. So, I don't think you need to set explicitly these headers. The same has been described in Preflighted requests.

    I might need the full policy info to investigate or repro this issue. However, I found from your other thread, it worked in Inbound Policy. Please let me know if you still face the issue.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.