Docs
uapigateway
Operation Guide
Open API
Cross-domain Access

Cross-Domain Sharing

What is Cross-Domain Sharing

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell the browser to allow a Web application running on a domain to be allowed to access specified resources from a different domain’s server. When a resource requests a resource from a domain, protocol, or port other than the server where the resource itself is located, the resource will initiate a cross-domain HTTP request. For security reasons, browsers limit cross-domain HTTP requests initiated from within scripts. For example, XMLHttpRequest and Fetch. The API follows the same-origin policy, which means that Web applications using these APIs can only request HTTP resources from the same domain that loads the application, unless the response message contains the correct CORS response header.

Simple Requests and Non-Simple Requests

For cross-domain HTTP requests, the browser will determine whether the request is a simple cross-domain request based on the structure in the sending API. A non-simple cross-domain request will send a Method of OPTIONS a request for pre-check (pre-flight). Requests that meet the following conditions are considered simple requests:

  • Use one of the following methods:

    • GET
    • HEAD
    • POST

  • Can only include the following HTTP headers

    • Accept
    • Accept-Language
    • Content-Language
    • Content-Type (note additional restrictions)
    • DPR
    • Downlink
    • Save-Data
    • Viewport-Width
    • Width

  • The value of Content-Type is limited to one of the following three:

    • text/plain
    • multipart/form-data
    • application/x-www-form-urlencoded

  • None of the XMLHttpRequestUpload objects in the request have registered any event listeners; XMLHttpRequestUpload objects can be accessed using the XMLHttpRequest.upload property.

  • No ReadableStream objects are used in the request.

UAPIGateway Support for CORS

For APIs that have bound CORS cross-domain policy, UAPIGateway will decide whether to add the CORS response header based on the content of the backend response. If the backend does not have any CORS response headers, UAPIGateway will add the following response headers

Access-Control-Allow-Origin : $http_origin
Access-Control-Allow-Header : X-Gw-Signature-Method,X-Gw-Signature-Headers,X-Gw-Signature-Headers,X-Gw-Timestamp,X-Gw-Timestamp,X-Gw-SignedString,X-Gw-Stage,Authorization,Content-Type,Accept,Accept-Ranges,Cache-Control,Range
Access-Control-Allow-Method : POST,GET,DELETE,OPTIONS,HEAD,PUT
Access-Control-Expose-Header : X-Gw-Signature-Method,X-Gw-Signature-Headers,X-Gw-Signature-Headers,X-Gw-Timestamp,X-Gw-Timestamp,X-Gw-SignedString,X-Gw-Stage,Authorization,Content-Type,Accept,Accept-Ranges,Cache-Control,Range
Access-Control-Allow-CREDENTIALS: true

For requests that return any response header in the CORS header, we consider it as the user wants to handle the CORS response header on their own, and UAPIGateway does not do any processing on the CORS response header.
Strategy ManagementOverview