Cross-origin requests¶
A cross-origin HTTP request is one initiated by a web site at a different origin (meaning the tuple of scheme, hostname, and port) than the target of the request. Cross-origin requests are restricted according to complex rules in the HTTP security model.
Gafaelfawr does not protect against cross-origin simple requests (requests that do not require CORS preflight).
This is up to the protected web application.
However, note that disabling cookie authentication is generally effective at forcing a CORS preflight check, since inclusion of an Authorization header requires preflight checking.
CORS preflight policy¶
Gafaelfawr implements the following authorization policy for CORS preflight requests to authenticated ingresses:
An
OPTIONSrequest containing anOriginheader matching the hostname of the base URL of the Science Platform is allowed through to the protected site to respond to as it wishes. This is true even if the protected site is served from a hostname that does not match the base URL.If subdomain support is enabled, an
OPTIONSrequest containing anOriginheader for any hostname that is a subdomain of the base URL is also allowed through to the protected site to respond to as it wishes.All other
OPTIONSrequests are rejected.
The intended effect of this policy is to allow protected applications to control their CORS policy for requests from other components of the same instance of the Science Platform, but to reject all cross-origin requests from outside the Science Platform, regardless of the opinions of the protected application.
Anonymous ingresses pass all requests through to the underlying application, including OPTIONS requests.
Other OPTIONS requests¶
All OPTIONS requests to authenticated ingresses that do not contain an Origin header are rejected with a 404 error.
This means that sites protected by Gafaelfawr do not support the non-CORS use of OPTIONS to determine supported HTTP methods.
This use of OPTIONS is not widely supported or used.