CORS Support

[Ian Carvalho]

Looking in the documentation, I could not find any references on enabling CORS in Api-Gateway.

Will setting allowCors in the openApi config  and dealing with it in the backend work?

Is there anyway we add CORS support directly to ESPv2?

Thanks

[Jose Vioque Ojeda]

Hi,

At the moment there is no way of configuring CORS in the API Gateway.

As you say, you will need to handle CORS in the backend. If you are using ESPv2, the same CORS settings that apply for ESP [1] apply for ESPv2, although ESPv2 has further config options [2]

Regards
────────────────────

[1]: https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#configuring_to_allow_cors_requests

[2]: https://cloud.google.com/endpoints/docs/openapi/specify-esp-v2-startup-options#cors 

[Trevor Pfiz]

Is there a timetable for when CORS support would be available?  This is a deal-breaker for me to use the API Gateway service as I have a React + GraphQL application that is reaching out to the API Gateway endpoint to run a Cloud Function that gets a prediction from the AI Platform.  Is the solution in the meantime to use ESPv2 for this use-case?

Thanks,

Trevor Pfizenmaier

[Chris Latimer]

We expect to have CORS support available in H1 2021. In the meantime, as a work around you should be able to create a function/service that handles the preflight CORS request and proxy that through API Gateway. Not ideal I know, but it should work as a temporary solution until we are able to deliver this as an official feature within API Gateway.

--
You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/1843d23c-231f-4cdc-8e47-3ea02481e0c1n%40googlegroups.com.

--

Chris Latimer |

Product Manager, API Management |

clat...@google.com |

1-614-596-8090

[Trevor Pfiz]

Awesome, thank you for the response Chris.  I have been able to set ESPv2 up to do what I would want with API Gateway + CORS support, so I should be good to go with that solution for now.

Thanks,

Trevor Pfizenmaier

[Minon Weerasinghe]

Hi Trevor would you be able to give more details as to how you were able to solve the issue. I've updated the API config to allow cors and tried passing the Access-Control-Allow-Origin in the response header from the cloud function but the API Gateway seems to filter it out. Google API Gateway seems very promising and given our entire infrastructure is based on Google/Firebase I'm not willing to give up just yet and the CORS config is the one thing that has put a halt on my work.

[Anish Khattar]

Another way to solve this issue is to configure the "options" method in your open API config. When the browser makes the initial CORS request the request method is set to "OPTIONS". For example here is how I configured one of the endpoints in my config

/create:

    post:

      summary: Create a new account

      parameters:

        - in: body

          name: user

          description: The user to create

          schema:

            type: object

            required:

              - name

              - username

              - password

            properties:

              name:

                type: string

              username:

                type: string

              password:

                type: string

      responses:

        200:

          description: Account succesfully created

        409:

          description: Username/email already exists

    options:

      operationId: create-cors

      responses:

        200:

          description: Success

[Anish Khattar]

Also forgot to mention that you will need handle the OPTIONS request in your backend and set the appropriate headers in the response required by CORS.

[Gerald Yeong]

Hi all, my setup is from the API gateway to my cloud run nodejs instance. I've set CORS via my cloud run nodejs instance. Not sure if this is what you are looking for.

[Rajthilak Ravikumar]

swagger: "2.0"
host: "my-cool-api.endpoints.my-project-id.cloud.goog"
x-google-endpoints:
- name: "my-cool-api.endpoints.my-project-id.cloud.goog"
  allowCors: True

Note: host and name should have the same API endpoint name

Configuring these lines in your config file enables CORS for API GATEWAY

https://cloud.google.com/endpoints/docs/openapi/support-cors#:~:text=CORS%20(Cross%2Dorigin%20resource%20sharing,would%20prevent%20cross%2Dorigin%20requests.

[Denis Loginov]

One other possible "dummy" OPTIONS backend can be a bucket: https://cloud.google.com/storage/docs/cross-origin

[Stephen Gaffney]

Is there any update on supporting CORS in API Gateway? 

[Sunil Poudél]

With the help of the following:

https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#configuring_to_allow_cors_requests
https://groups.google.com/g/api-gateway-users/c/9CwyQr1c420/m/7-7Z7ZKxBAAJ

I am able to bypass the CORS check from API Gateway, But when we enabled security: (firebase authentication) in api-config.yml for API Gateway,  it is throwing the CORS error again. It will be great help if anyone can help on to fix this issue.

Thanks.

[Alexandre Thenorio]

For a GRPC backend there is no solution at the moment. You can bypass some of the CORS issues by appending some headers to the response using an external load balancer in front of the api gateway but as soon as you run into an use case where the browser sends OPTION (Which is not uncommon) you are stuck as there is no way to handle an OPTION request in the grpc server nor can you tell the api gateway config to send it somewhere else.

[Ben Calnan]

@Sunil Managed to get it working with the options method and firebase auth, but only if firebase auth is not set up on the options call itself i.e. set up on the GET/POST etc but not the options.

[Stefano Giostra]

Hi @"Ian Carvalho"

I adopted with success, the solution indicated by @"Anish Khattar" on an API Gateway for a Cloud Function adding obivously, a method in the Cloud Funtion to manage the option REST call, as showed by the google doc

```

def handler(request):
    if request.method == 'OPTIONS':
        return cors_enabled_function()

   ....

   ....

   ....

```

the cors_enabled_function method

[Dulce Hernandez Cruz]

The last answer worked for me https://stackoverflow.com/questions/64281334/cors-errors-when-trying-to-fetch-from-new-google-cloud-api-gateway.

I was trying to make a DELETE request from the browser, which returned first the OPTIONS request, but by following the suggested solution, it works now.

[Marcin Radlak]

Hello @Chris Latimer. You mentioned it is expected to have CORS support available in H1 2021. What's the status? Is it possible to release the support this year?

[Zion Liu]

It is late of Oct already, can we have a status of when CORS support will be available.

[Nandan Sridhar]

Hello Zion, We have a change to our plans for delivering this feature in API Gateway. At the moment we do not have plans to add support for CORS in API Gateway. I apologize for any inconvenience this caused to your plans for adoption of the service.  If you wish to discuss alternatives, future plans/roadmaps I'm happy to schedule a call with you.

On Sat, Oct 23, 2021 at 5:41 AM Zion Liu <bel...@gmail.com> wrote:

It is late of Oct already, can we have a status of when CORS support will be available.

--

You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/cf7a4d1a-c49c-477a-9fd3-ec9f561da17en%40googlegroups.com.

[dhananjay bhau]

This is very much required functionality 

[Josh Einhorn]

Hi Dhananjay,

As Nandan said, this is not currently on our roadmap (apologies for any previous miscommunication). As a short term "workaround", have you looked at using ESPv2?

-Josh

To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/e943069c-c68f-4ca0-90b6-5c4973df4347n%40googlegroups.com.

--

Josh Einhorn |

Tech Lead & Manager |

joshe...@google.com |

1-215-837-1102

[dhananjay bhau]

I am able to do it by workaround OPTIONS .

I worked with other cloud provider as well  and there its just a minute of work. Here i struggled for 2-3 days. Just provided my feedback for betterment of GCP gateway.

[Andreas Lindfalk]

I got a workaround working for the gRPC API Gateway with these steps:

Step 1: Add an additional custom OPTIONS mapping:

rpc ListLocations (ListLocationsRequest) returns (ListLocationsResponse) {

option (google.api.http) = { custom:

{

kind: "options"

path: "/v1/patient/locations"

};

additional_bindings {

get: "/v1/patient/locations"

}

};

};

Step 2: Enable "allow_cors" on the endpoint:

type: google.api.Service

config_version: 3

name: patient-api-something.apigateway.<project id>.cloud.goog

title: Patient API Gateway

endpoints:

- name: patient-api-something.apigateway.<project id>.cloud.goog

allow_cors: true

Step 3: Respond to OPTIONS requests in the backend:

func newHttpAndGrpcMux(httpHandler http.Handler, grpcHandler http.Handler) http.Handler {

return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

w.Header().Set("Access-Control-Allow-Origin", "*")

w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")

w.Header().Set("Access-Control-Allow-Headers", "*, Authorization")

w.Header().Set("Access-Control-Expose-Headers", "*")

w.Header().Set("Access-Control-Max-Age", "1728000")

if r.Method == "OPTIONS" {

return

}

if r.ProtoMajor == 2 && strings.HasPrefix(r.Header.Get("content-type"), "application/grpc") {

grpcHandler.ServeHTTP(w, r)

return

}

httpHandler.ServeHTTP(w, r)

})

}

So in other words, make the http/json transcoding handle OPTIONS requests and then instruct the endpoint to allow these requests and finally respond to these requests before delegating to the actual gRPC handlers in the backend. And yes, I'm aware that the cors headers in the example are a bit to "allowing" :)

[Tushar Baradia]

Hello

I have tried so many methods but it giving me cors error only when I'm passing out expired access token.

Otherwise it is working fine.

Can anyone help me regarding this?
I want that anyone who pass expired token should not get cors error in api gateway.
Here we are not using ESP or V2.

Just using API gateway, and cors is handled in config part..

[Ivan Barišić]

Any info on CORS functionality under API Gateway? We have added following to our config.yaml, but no luck whatsoever. Transcoded request are going ok, but GRPC OPTION request is returning 405 Method not allowed. In order to get REST working out, we added load balancer with response headers in front. 

```

endpoints:
- name: <name>.apigateway.<project_id>.cloud.goog
allow_cors: true

```