You enable cross-domain request enforcement as part of the Allowed HTTP or WebSocket URL properties within a security policy. Then you can specify which domains can access the response generated by requesting this URL (the “resource”). For HTTP URLs, you can also configure how to overwrite CORS response headers that are returned by the web server.
This feature does not affect internal redirection, which is always allowed. For example, Location: /anotherpage/onthisserver/internal_redirect.php would be allowed even if cross-domain request enforcement is enabled on the system.
|Select this option||To do this|
|Disabled||Do nothing related to cross-domain requests. Pass CORS requests exactly as set by the server.|
|Remove all CORS headers||Remove all CORS headers from the response. The response is sent to the browser, and the browser does not allow cross-origin requests.|
|Replace CORS headers (HTTP URLs only)||Replace the CORS header in the response with another header specified on the tab, including allowed origins, allowed methods, allowed headers, and so on. The browser enforces the policy.|
|Enforce on ASM||Allow cross-origin resource sharing as configured. CORS requests are allowed from the domains specified as allowed origins. ASM enforces the policy.|
ASM extracts the Origin (domain) of the request from the Origin header. If the Origin header is missing or has more than one occurrence, ASM issues an Illegal cross-origin request violation if it is set to alarm or block. If the violation is set to block in the URL section of the Learning and Blocking Settings (and the Enforcement Mode of the security policy is set to blocking), the system blocks the request.
If a request comes from a domain that does not belong to the application and is not specified in the list of allowed origins, the system also issues an Illegal cross-origin request violation. If the violation is set to block (and the Enforcement Mode is set to blocking), the request is blocked.
CORS headers are enforced by all popular browsers. The browser reads the allowed origins from the Access-Control-Allowed-Origin headers in the response. If the subsequent request from that page does not match any of the allowed origins, the browser will not place the request. In many situations, the servers do not populate those headers properly, so you can have ASM™ replace the CORS headers.If you want ASM to replace CORS headers when enforcing HTML5 cross-domain requests, you can update an existing HTTP URL. This task does not apply to WebSocket URLs, only HTTP URLs.
If this request is authorized by the web server, the browser allows the foreign domain to send its original request. If the request from that page does not match any of the allowed origins, the browser declines the request.
When processing a modification request, the browser sends a preflight request if it has no previously cached allowed origins (that is, this is the first time the browser goes to the foreign domain for such requests). The preflight request uses an OPTIONS HTTP method and CORS-related headers to check whether the server authorizes that origin.
The CORS-related headers that are included in a preflight request are:
|Origin||Determines requesting origin.|
|Access-Control-Request-Method||Indicates which methods are used in the actual request (other than simple methods).|
|Access-Control-Request-Headers||Indicates which headers are used in the actual request (other than simple headers).|
In response to the preflight request, the system uses these CORS response headers:
|Access-Control-Allow-Origin||List of origins the resource may be shared among (support wildcard).|
|Access-Control-Allow-Credentials||Indicates whether actual request may include user credentials (true/false).|
|Access-Control-Allow-Methods||Indicates which methods can be used during the actual request.|
|Access-Control-Allow-Headers||Indicates which request headers can be used during the actual request.|
|Access-Control-Max-Age||Indicates how long (in seconds) to cache the results of a preflight request in the browser.|
The browser then allows the foreign domain to send its original requests.
If you do not enable cross-domain request enforcement, the system removes all cross-origin request headers and CORS is not allowed for the URL.
If you select Enforce on ASM as the CORS Enforcement Mode, ASM™ permits access according to the allowed origins. So, when using this option, there is no need for a preflight request because ASM itself checks the origin. Unlike using the Replace CORS headers setting, ASM, not the browser, does the enforcement.