CORS Support

1555 views
Skip to first unread message

Ian Carvalho

unread,
Oct 5, 2020, 10:51:11 PM10/5/20
to api-gateway-users
Looking in the documentation, I could not find any references on enabling CORS in Api-Gateway.

Will setting allowCors in the openApi config  and dealing with it in the backend work?

Is there anyway we add CORS support directly to ESPv2?

Thanks

Jose Vioque Ojeda

unread,
Oct 7, 2020, 5:05:19 AM10/7/20
to api-gateway-users
Hi,

At the moment there is no way of configuring CORS in the API Gateway.
As you say, you will need to handle CORS in the backend. If you are using ESPv2, the same CORS settings that apply for ESP [1] apply for ESPv2, although ESPv2 has further config options [2]

Regards
────────────────────

Trevor Pfiz

unread,
Oct 9, 2020, 12:37:53 PM10/9/20
to api-gateway-users
Is there a timetable for when CORS support would be available?  This is a deal-breaker for me to use the API Gateway service as I have a React + GraphQL application that is reaching out to the API Gateway endpoint to run a Cloud Function that gets a prediction from the AI Platform.  Is the solution in the meantime to use ESPv2 for this use-case?

Thanks,
Trevor Pfizenmaier

Chris Latimer

unread,
Oct 9, 2020, 4:26:45 PM10/9/20
to Trevor Pfiz, api-gateway-users
We expect to have CORS support available in H1 2021. In the meantime, as a work around you should be able to create a function/service that handles the preflight CORS request and proxy that through API Gateway. Not ideal I know, but it should work as a temporary solution until we are able to deliver this as an official feature within API Gateway.

--
You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/1843d23c-231f-4cdc-8e47-3ea02481e0c1n%40googlegroups.com.


--

Chris Latimer | Product Manager, API Management | clat...@google.com | 1-614-596-8090

Trevor Pfiz

unread,
Oct 10, 2020, 1:46:46 PM10/10/20
to api-gateway-users
Awesome, thank you for the response Chris.  I have been able to set ESPv2 up to do what I would want with API Gateway + CORS support, so I should be good to go with that solution for now.

Thanks,
Trevor Pfizenmaier

Minon Weerasinghe

unread,
Oct 11, 2020, 3:03:58 AM10/11/20
to api-gateway-users
Hi Trevor would you be able to give more details as to how you were able to solve the issue. I've updated the API config to allow cors and tried passing the Access-Control-Allow-Origin in the response header from the cloud function but the API Gateway seems to filter it out. Google API Gateway seems very promising and given our entire infrastructure is based on Google/Firebase I'm not willing to give up just yet and the CORS config is the one thing that has put a halt on my work.

Anish Khattar

unread,
Dec 25, 2020, 6:24:16 PM12/25/20
to api-gateway-users
Another way to solve this issue is to configure the "options" method in your open API config. When the browser makes the initial CORS request the request method is set to "OPTIONS". For example here is how I configured one of the endpoints in my config

/create:
    post:
      summary: Create a new account
      parameters:
        - in: body
          name: user
          description: The user to create
          schema:
            type: object
            required:
              - name
              - username
              - password
            properties:
              name:
                type: string
              username:
                type: string
              password:
                type: string
      responses:
        200:
          description: Account succesfully created
        409:
          description: Username/email already exists
    options:
      operationId: create-cors
      responses:
        200:
          description: Success

Anish Khattar

unread,
Dec 25, 2020, 6:38:02 PM12/25/20
to api-gateway-users
Also forgot to mention that you will need handle the OPTIONS request in your backend and set the appropriate headers in the response required by CORS.

Gerald Yeong

unread,
Dec 29, 2020, 3:35:14 AM12/29/20
to api-gateway-users
Hi all, my setup is from the API gateway to my cloud run nodejs instance. I've set CORS via my cloud run nodejs instance. Not sure if this is what you are looking for.

Rajthilak Ravikumar

unread,
Feb 26, 2021, 1:09:50 AMFeb 26
to api-gateway-users
swagger: "2.0"
host: "my-cool-api.endpoints.my-project-id.cloud.goog"
x-google-endpoints:
- name: "my-cool-api.endpoints.my-project-id.cloud.goog"
  allowCors: True

Note: host and name should have the same API endpoint name

Denis Loginov

unread,
Mar 4, 2021, 12:57:16 AMMar 4
to api-gateway-users
One other possible "dummy" OPTIONS backend can be a bucket: https://cloud.google.com/storage/docs/cross-origin

Stephen Gaffney

unread,
Jun 10, 2021, 11:19:24 AMJun 10
to api-gateway-users
Is there any update on supporting CORS in API Gateway? 

Sunil Poudél

unread,
Jun 23, 2021, 7:03:42 AMJun 23
to api-gateway-users

With the help of the following:

I am able to bypass the CORS check from API Gateway, But when we enabled security: (firebase authentication) in api-config.yml for API Gateway,  it is throwing the CORS error again. It will be great help if anyone can help on to fix this issue.

Thanks.

Alexandre Thenorio

unread,
Jun 23, 2021, 8:36:03 AMJun 23
to api-gateway-users
For a GRPC backend there is no solution at the moment. You can bypass some of the CORS issues by appending some headers to the response using an external load balancer in front of the api gateway but as soon as you run into an use case where the browser sends OPTION (Which is not uncommon) you are stuck as there is no way to handle an OPTION request in the grpc server nor can you tell the api gateway config to send it somewhere else.

Ben Calnan

unread,
Aug 4, 2021, 10:20:31 AMAug 4
to api-gateway-users
@Sunil Managed to get it working with the options method and firebase auth, but only if firebase auth is not set up on the options call itself i.e. set up on the GET/POST etc but not the options.

Stefano Giostra

unread,
Aug 5, 2021, 4:04:35 AMAug 5
to api-gateway-users
Hi @"Ian Carvalho"
I adopted with success, the solution indicated by @"Anish Khattar" on an API Gateway for a Cloud Function adding obivously, a method in the Cloud Funtion to manage the option REST call, as showed by the google doc

```
def handler(request):
    if request.method == 'OPTIONS':
        return cors_enabled_function()
   ....
   ....
   ....
```

Dulce Hernandez Cruz

unread,
Aug 5, 2021, 9:13:19 AMAug 5
to api-gateway-users
The last answer worked for me https://stackoverflow.com/questions/64281334/cors-errors-when-trying-to-fetch-from-new-google-cloud-api-gateway.
I was trying to make a DELETE request from the browser, which returned first the OPTIONS request, but by following the suggested solution, it works now.

Marcin Radlak

unread,
Aug 11, 2021, 4:04:38 AMAug 11
to api-gateway-users
Hello @Chris Latimer. You mentioned it is expected to have CORS support available in H1 2021. What's the status? Is it possible to release the support this year?
Reply all
Reply to author
Forward
0 new messages