This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

CORS Policy doesn't generate header Access-Control-Allow-Credentials

Posted on 09-21-2022 05:55 AM
Giupo
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello,

I've used a CORS policy in my proxy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CORS continueOnError="false" enabled="true" name="CORS">
    <DisplayName>CORS</DisplayName>
    <AllowOrigins>{request.header.origin}</AllowOrigins>
    <AllowMethods>POST</AllowMethods>
    <AllowCredentials>true</AllowCredentials>
    <AllowHeaders>origin, x-requested-with, accept, content-type, authorization</AllowHeaders>
    <ExposeHeaders>content-length,accept-ranges,content-encoding,content-range</ExposeHeaders>
    <MaxAge>3628800</MaxAge>
    <GeneratePreflightResponse>true</GeneratePreflightResponse>
</CORS>

But I noticed this error con Chrome Console:

Access to XMLHttpRequest at 'https://xxxxx.com/xxx/service' from origin 'http://xxxxx.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

 If i look at the response headers it's missing the 'Access-Control-Allow-Credentials' header.

 

Is there any wrong configuration or maybe is a Apigee Hybrid 1.7 bug?

Thanks

Solved Solved
0 3 3,210
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

There is an open bug against the CORS policy for this behavior.  Internal reference: b/222024484  

At this time I don't have n estimated time of resolution for this.  

EDIT: According to the Release Notes, This fix was rolled into the Apigee X runtime release on May, 17, 2023.  I believe it should be in the next Apigee hybrid fix release, as well. 1.9.5, etc. 

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

There is an open bug against the CORS policy for this behavior.  Internal reference: b/222024484  

At this time I don't have n estimated time of resolution for this.  

EDIT: According to the Release Notes, This fix was rolled into the Apigee X runtime release on May, 17, 2023.  I believe it should be in the next Apigee hybrid fix release, as well. 1.9.5, etc. 

Jump to Solution

Posted on --/--/---- --:-- AM
andreiprostoand
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Why is this marked as solved?
I got same behavior at cloud storage

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to andreiprostoand
Reply posted on --/--/---- --:-- AM

A: I don't understand your question.  The person who posted the question was satisfied with my answer, and marked it as "solved" , I suppose meaning, "OK, I've got the information I need to answer my question."  The answer in my question cited n internal bug, and ... we presume that bug is still outstanding, which means it's still a problem.  This Q&A forum is not a bug database. So "solved" means "question is answered satisfactorily." 

B. I don't understand your statement.  You don't elaborate, but you did mention "same behavior" at Cloud storage.  Does your observation have anything to do with Apigee?  This question was originally about an Apigee policy.  

Jump to Solution
0 Likes