CORS Headers set to 'Access-Control-Allow-Origin: *' despite passing specific Origin

Google Cloud Apigee
1

Can someone tell me if this is by design please :
My CORS policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<CORS continueOnError="false" enabled="true" name="CORS-Response-v0">
    <DisplayName>CORS-Response-v0</DisplayName>
    <AllowOrigins>{request.header.origin}</AllowOrigins>
    <AllowMethods>{into.cors-handling.operations}</AllowMethods>
    <AllowHeaders>origin, x-requested-with, accept, content-type, authorization, x-api-key</AllowHeaders>
    <ExposeHeaders>*</ExposeHeaders>
    <MaxAge>3628800</MaxAge>
    <AllowCredentials>false</AllowCredentials>
    <GeneratePreflightResponse>true</GeneratePreflightResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</CORS>

request.header.origin = http://localhost:8998. I’ve used an assign message policy to push that value out as a response header and sure enough it looks like this from curl :

< Apigee-CORS-Headers-IndicatorDebug2: http://localhost:8998

So first I make an OPTIONS request to my simple proxy hitting the CORS policy and it returns for the CORS headers I’m interested in as expected:

< Access-Control-Request-Method: GET
< Origin: http://localhost:8998

No problem I immediately call a GET against the same proxy and of course the same CORS policy (via same shared flow now called in the TargetEndpoint) passing the same Origin of http://localhost:8998

But what I get back is :

< Access-Control-Allow-Origin: *

Why am I not getting back these headers per the policy

< Access-Control-Request-Method: GET
< Origin: http://localhost:8998

as with the OPTIONS request? I changed the policy to this :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CORS continueOnError="false" enabled="true" name="CORS-Response-v0">
    <DisplayName>CORS-Response-v0</DisplayName>
    <AllowOrigins>http://localhost:8998</AllowOrigins>
    <AllowMethods>{into.cors-handling.operations}</AllowMethods>
    <AllowHeaders>origin, x-requested-with, accept, content-type, authorization, x-api-key</AllowHeaders>
    <ExposeHeaders>*</ExposeHeaders>
    <MaxAge>3628800</MaxAge>
    <AllowCredentials>false</AllowCredentials>
    <GeneratePreflightResponse>true</GeneratePreflightResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</CORS>

And it’s giving me

< Access-Control-Allow-Origin: *

I should be getting :

< Access-Control-Request-Method: GET
< Origin: http://localhost:8998

Right? Or help!

2

Just replying to my own post as you do …

I seem to have fixed it. I’m now getting

< Access-Control-Allow-Origin: http://localhost:8998

Not helpful but not entirely sure what fixed it. What I did :

  1. Restarted the emulator
  2. Made sure my CORS policy was last in the shared flow.
  3. Made sure each only had 1 policy.

I had an AssignMessageHeader Policy in the flow after the CORS Policy setting some headers (mostly for debugging). I made sure the CORS Policy was last in the shared flow in case that policy was affecting the previously set CORS Headers.

I had 2 Policies in the same Step like this

<Step>
        <Name>CORS-Response-v0</Name>
        <Name>AssignMessage-AddCORSResponseHeaderDebug</Name>
        <Condition>apim.cors.headers-indicator == true</Condition>
    </Step>

I think that was it but oddly the OPTIONS request hitting the same shared flow was working!