功能说明

cors 插件可以为服务端启用 CORS(Cross-Origin Resource Sharing,跨域资源共享)的返回 http 响应头。

运行属性

插件执行阶段:授权阶段 插件执行优先级:340

配置字段

名称数据类型填写要求默认值描述
allow_originsarray of string选填允许跨域访问的 Origin,格式为 scheme://host:port ,示例如 http://example.com:8081。当 allow_credentials 为 false 时,可以使用 来表示允许所有 Origin 通过
allow_origin_patternsarray of string选填-允许跨域访问的 Origin 模式匹配, 用 匹配域名或者端口,
比如 http://.example.com — 匹配域名, http://.example.com:[8080,9090] — 匹配域名和指定端口, http://.example.com:[] — 匹配域名和所有端口。单独 表示匹配所有域名和端口
allow_methodsarray of string选填GET, PUT, POST, DELETE, PATCH, OPTIONS允许跨域访问的 Method,比如:GET,POST 等。可以使用 来表示允许所有 Method。
allow_headersarray of string选填DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
If-Modified-Since,Cache-Control,Content-Type,Authorization		允许跨域访问时请求方携带哪些非 CORS 规范以外的 Header。可以使用 来表示允许任意 Header。
expose_headersarray of string选填-允许跨域访问时响应方携带哪些非 CORS 规范以外的 Header。可以使用 来表示允许任意 Header。
allow_credentialsbool选填false是否允许跨域访问的请求方携带凭据(如 Cookie 等)。根据 CORS 规范,如果设置该选项为 true,在 allow_origins 不能使用 , 替换成使用 allow_origin_patterns *
max_agenumber选填86400秒浏览器缓存 CORS 结果的最大时间,单位为秒。
在这个时间范围内,浏览器会复用上一次的检查结果

注意

  • allow_credentials 是一个很敏感的选项,请谨慎开启。开启之后,allow_credentials 和 allow_origins 为 * 不能同时使用,同时设置时, allow_origins 值为 ”*” 生效。
  • allow_origins 和 allow_origin_patterns 可以同时设置, 先检查 allow_origins 是否匹配,然后再检查 allow_origin_patterns 是否匹配
  • 非法 CORS 请求, HTTP 状态码返回是 403, 返回体内容为 “Invalid CORS request”

配置示例

允许所有跨域访问, 不允许请求方携带凭据

  1. allow_origins:
  2.   - 
  3. allow_methods:
  4.   - 
  5. allow_headers:
  6.   - 
  7. expose_headers:
  8.   - 
  9. allow_credentials: false
  10. max_age: 7200

允许所有跨域访问,同时允许请求方携带凭据

  1. allow_origin_patterns:
  2.   - 
  3. allow_methods:
  4.   - 
  5. allow_headers:
  6.   - 
  7. expose_headers:
  8.   - 
  9. allow_credentials: true
  10. max_age: 7200

允许特定子域,特定方法,特定请求头跨域访问,同时允许请求方携带凭据

  1. allow_origin_patterns:
  4. allow_methods:
  5.   - GET
  6.   - PUT
  7.   - POST
  8.   - DELETE
  9. allow_headers:
  10.   - Token
  11.   - Content-Type
  12.   - Authorization
  13. expose_headers:
  14.   - ‘*’
  15. allow_credentials: true
  16. max_age: 7200

测试

测试配置

  1. apiVersion: networking.higress.io/v1
  2. kind: McpBridge
  3. metadata:
  4.   name: mcp-cors-httpbin
  5.   namespace: higress-system
  6. spec:
  7.   registries:
  8.     - domain: httpbin.org
  9.       name: httpbin
  10.       port: 80
  11.       type: dns
  12. —-
  13. apiVersion: networking.k8s.io/v1
  14. kind: Ingress
  15. metadata:
  16.   annotations:
  17.     higress.io/destination: httpbin.dns
  18.     higress.io/upstream-vhost: httpbin.org
  19.     higress.io/backend-protocol: HTTP
  20.   name: ingress-cors-httpbin
  21.   namespace: higress-system
  22. spec:
  23.   ingressClassName: higress
  24.   rules:
  25.     - host: httpbin.example.com
  26.       http:
  27.         paths:
  28.           - backend:
  29.               resource:
  30.                 apiGroup: networking.higress.io
  31.                 kind: McpBridge
  32.                 name: mcp-cors-httpbin
  33.             path: /
  34.             pathType: Prefix
  35. —-
  36. apiVersion: extensions.higress.io/v1alpha1
  37. kind: WasmPlugin
  38. metadata:
  39.   name: wasm-cors-httpbin
  40.   namespace: higress-system
  41. spec:
  42.   defaultConfigDisable: true
  43.   matchRules:
  44.     - config:
  45.         allow_origins:
  47.         allow_origin_patterns:
  50.         allow_methods:
  51.           - GET
  52.           - POST
  53.           - PATCH
  54.         allow_headers:
  55.           - Content-Type
  56.           - Token
  57.           - Authorization
  58.         expose_headers:
  59.           - X-Custom-Header
  60.           - X-Env-UTM
  61.         allow_credentials: true
  62.         max_age: 3600
  63.       configDisable: false
  64.       ingress:
  65.         - ingress-cors-httpbin
  66.   url: oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/cors:1.0.0
  67.   imagePullPolicy: Always

请求测试

简单请求

  1. curl -v -H Origin: http://httpbin2.example.org:9090“ -H  “Host: httpbin.example.com”  http://127.0.0.1/anything/get\?foo\=1
  4. < HTTP/1.1 200 OK
  5. > x-cors-version: 1.0.0
  6. > access-control-allow-origin: http://httpbin2.example.org:9090
  7. > access-control-expose-headers: X-Custom-Header,X-Env-UTM
  8. > access-control-allow-credentials: true

预检请求

  1. curl -v -X OPTIONS -H Origin: http://httpbin2.example.org:9090“ -H  “Host: httpbin.example.com” -H “Access-Control-Request-Method: POST”  -H “Access-Control-Request-Headers: Content-Type, Token” http://127.0.0.1/anything/get\?foo\=1
  4. < HTTP/1.1 200 OK
  5. < x-cors-version: 1.0.0
  6. < access-control-allow-origin: http://httpbin2.example.org:9090
  7. < access-control-allow-methods: GET,POST,PATCH
  8. < access-control-allow-headers: Content-Type,Token,Authorization
  9. < access-control-expose-headers: X-Custom-Header,X-Env-UTM
  10. < access-control-allow-credentials: true
  11. < access-control-max-age: 3600
  12. < date: Tue, 23 May 2023 11:41:28 GMT
  13. < server: istio-envoy
  14. < content-length: 0
  15. <
  16.  Connection #0 to host 127.0.0.1 left intact
  17.  Closing connection 0

非法 CORS Origin 预检请求

  1. curl -v -X OPTIONS -H Origin: http://httpbin2.example.org“ -H  “Host: httpbin.example.com” -H “Access-Control-Request-Method: GET”  http://127.0.0.1/anything/get\?foo\=1
  4.  HTTP/1.1 403 Forbidden
  5. < content-length: 70
  6. < content-type: text/plain
  7. < x-cors-version: 1.0.0
  8. < date: Tue, 23 May 2023 11:27:01 GMT
  9. < server: istio-envoy
  10. <
  11. * Connection #0 to host 127.0.0.1 left intact
  12. Invalid CORS request

非法 CORS Method 预检请求

  1. curl -v -X OPTIONS -H Origin: http://httpbin2.example.org:9090“ -H  “Host: httpbin.example.com” -H “Access-Control-Request-Method: DELETE”  http://127.0.0.1/anything/get\?foo\=1
  4. < HTTP/1.1 403 Forbidden
  5. < content-length: 49
  6. < content-type: text/plain
  7. < x-cors-version: 1.0.0
  8. < date: Tue, 23 May 2023 11:28:51 GMT
  9. < server: istio-envoy
  10. <
  11. * Connection #0 to host 127.0.0.1 left intact
  12. Invalid CORS request

非法 CORS Header 预检请求

  1.  curl -v -X OPTIONS -H Origin: http://httpbin2.example.org:9090“ -H  “Host: httpbin.example.com” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: TokenView”  http://127.0.0.1/anything/get\?foo\=1
  4. < HTTP/1.1 403 Forbidden
  5. < content-length: 52
  6. < content-type: text/plain
  7. < x-cors-version: 1.0.0
  8. < date: Tue, 23 May 2023 11:31:03 GMT
  9. < server: istio-envoy
  10. <
  11. * Connection #0 to host 127.0.0.1 left intact
  12. Invalid CORS request

参考文档