Configuring Glue for cross-origin requestsEdit on GitHub
By default, Glue REST API is configured to run using the same-origin policy, which remains the recommended default security level for web applications. However, taking into account that requests to Glue REST API can originate from touchpoints located across multiple domains, we made it possible to enable Cross-Origin Resource Sharing (CORS) in Glue. When CORS is enabled, Glue REST API can accept requests from a list of allowed origins or any origin, depending on the configuration.
To enable CORS support in Glue, follow the Installation Guide.
Configure CORS behavior
CORS is configured in Spryker Glue using environment variables. There are 2 levels where CORS can be configured: global and per-domain. On the global level, CORS is configured for the whole Glue Application. On the per-domain level, you can configure CORS behavior for each domain configured in Glue Application separately. For example, you can configure different lists of allowed origins for the
Per-domain configuration always prevails over the global one. For this reason, the recommended practice is to configure CORS behavior for each domain separately.
Configuration can be found in the following files:
config/Shared/config_default_DE.php, where DE is the respective domain.
To configure CORS behavior, follow these steps:
Open the necessary configuration file depending on which CORS configuration you want to set up.
Modify the value of the
GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGINvariable. You can set its value as follows:
<null>: CORS is disabled. Example:
$config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '';
*: allow CORS requests from any domain. Example:
$config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '*';
http://www.example1.com: allow CORS requests only from the specified origin. Example:
$config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = 'http://www.example1.com';
Save the file.
Verify the configuration
To verify that the configuration has been completed successfully, make an OPTIONS pre-flight request to any valid Glue resource with the correct
Origin header, for example,
http://glue.example.com/, and make sure the following:
Access-Control-Allow-Originheader is present and is the same as set in the configuration.
Access-Control-Allow-Methodsheader is present and contains all available REST methods.
You can also make one of the available
DELETE requests (depending on the resource used) and verify that response headers are the same.
For submitting the form