Share via

Azure API Management | CORS

Abhay Chandramouli 1,061 Reputation points
2023-12-11T17:37:49.7333333+00:00

Hi,

I am trying to apply CORS to API Management.

I have a allowed-origins named value => https://abc.com,https://xyz.com,https://pol.com...... and so on

I have written a code to make it a bit dynamic like

<choose>

            <when condition="@(context.Request.Headers.GetValueOrDefault("Origin","null") != "null"

                                                                            && context.Variables.GetValueOrDefault("allowedOriginsList") != null

                                                                            && ((string)context.Variables.GetValueOrDefault("allowedOriginsList")).Split(',').Contains(context.Request.Headers.GetValueOrDefault("Origin")))">

                <set-variable name="origin" value="@((string)context.Request.Headers.GetValueOrDefault("Origin"))" />

            </when>

            <otherwise>

                <set-variable name="origin" value="@((string)context.Variables.GetValueOrDefault("defaultOrigin"))" />

            </otherwise>

        </choose>

<cors allow-credentials="true">

            <allowed-origins>

                <origin>@(context.Variables.GetValueOrDefault("origin")</origin>

            </allowed-origins>

            <allowed-methods preflight-result-max-age="300">

                <method>GET</method>

                <method>PUT</method>

                <method>POST</method>

                <method>PATCH</method>

                <method>DELETE</method>

                <method>OPTIONS</method>

            </allowed-methods>

            <allowed-headers>

                <header>*</header>

            </allowed-headers>

            <expose-headers>

                <header>*</header>

            </expose-headers>

        </cors>

This works from APIM Test tab, but not from frontend.

Please help me with what I am doing wrong

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator
    2023-12-11T19:15:48.52+00:00

    Abhay Chandramouli Thanks for posting your question in Microsoft Q&A. I assume you have already reviewed Calculate Effective Policy in the policy editor to check the policy evaluation order for the scope. This may have worked at APIM Test tab since by default, Origin header was not passed to the gateway and hence cors policy was not applied.

    Quickly reviewing the policy snippet, you are looking to allow certain list of allowed origins (from variable "allowedOriginsList") or default origin (from variable "defaultOrigin") otherwise it should be denied. Correct?

    I suggest you enable tracing using Ocp-Apim-Trace header in your front-end app as described in the doc and validate request headers such as Origin, Method and then evaluate the results like below:

    User's image

    This will help investigating the cause of the failure.

    I hope this helps and let me know if any questions or still looking for assistance.

    If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.