Cross Origin Resource Sharing (CORS)
CORS can be enabled
for Orion using the -corsOrigin
switch during startup. -corsOrigin
takes either
a string value of a single origin that would be allowed to make CORS requests or
__ALL
for allowing any origin to make CORS requests to the Context Broker.
The only configurable aspect of Orion's CORS mode besides the allowed origin is
the maximum time a preflight request can be cached by the client, which is
handled by the -corsMaxAge
switch. It takes the maximum amount of cache time in
seconds and defaults to 86400
(24 hours) if not used.
More information about Orion CLI switches cat be found in the administration manual.
For example:
-
Below command starts Orion with CORS enabled for any origin with a 10 minute maximum preflight cache time
contextBroker -corsOrigin __ALL -corsMaxAge 600
-
Start Orion with CORS enabled for only a specific origin with the default maximum preflight cache time
contextBroker -corsOrigin specificdomain.com
CORS is available for all /v2
resources but for /v1
resources, it is only
available for simple GET requests.
Access-Control-Allow-Origin
If the CORS mode is enabled, Origin header is present in the request and its value matches Orion's allowed origin, this header will always be added to the response.
Please note that if the above condition is not true and Access-Control-Allow-Origin header is not added to the response, all the CORS processes are stopped and no other CORS headers are added to the response.
If -corsOrigin
is set to a specific value, specificdomain.com
in this case:
Access-Control-Allow-Origin: specifidomain.com
If -corsOrigin
is set to __ALL
:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods
This header should be present in Orion's response for every OPTIONS
request
made to /v2
resources. Each resource has its own set of allowed methods and
the header value is set by the options*Only
service routines in
lib/serviceRoutinesV2
Access-Control-Allow-Headers
This header should be present in Orion's response for every OPTIONS
request
made to /v2
resources. Orion allows a specific set of headers in CORS requests
and these are defined in lib/rest/HttpHeaders.h
Orion's response to a valid OPTIONS
request would include the header and value
below:
Access-Control-Allow-Headers: Content-Type, Fiware-Service, Fiware-Servicepath, Ngsiv2-AttrsFormat, Fiware-Correlator, X-Forwarded-For, X-Real-IP, X-Auth-Token
Access-Control-Max-Age
This header should be present in Orion's response for every OPTIONS
request
made to /v2
resources. The user is free to set a value for the maximum time
(in seconds) a client is allowed to cache a preflight request made to Orion.
If -corsMaxAge
is set to a specific value, 600
in this case, Orion's response
to a valid OPTIONS
request would include the header and value below:
Access-Control-Max-Age: 600
If -corsMaxAge
is not set on startup, it will default to '86400' (24 hours) and
Orion's response to a valid OPTIONS
request would include the header and value
below:
Access-Control-Max-Age: 86400
Access-Control-Expose-Headers
This header should be present in Orion's response for every request made with a valid Origin value. Orion allows a specific set of response headers to be accessed by the user agent (i.e. browser) in CORS requests and these are defined in lib/rest/HttpHeaders.h
Orion's response to a valid CORS request would include the header and value below:
Access-Control-Expose-Headers: Fiware-Correlator, Fiware-Total-Count, Location