CORS Support

3841 views
Skip to first unread message

Ian Carvalho

unread,
Oct 5, 2020, 10:51:11 PM10/5/20
to api-gateway-users
Looking in the documentation, I could not find any references on enabling CORS in Api-Gateway.

Will setting allowCors in the openApi config  and dealing with it in the backend work?

Is there anyway we add CORS support directly to ESPv2?

Thanks

Jose Vioque Ojeda

unread,
Oct 7, 2020, 5:05:19 AM10/7/20
to api-gateway-users
Hi,

At the moment there is no way of configuring CORS in the API Gateway.
As you say, you will need to handle CORS in the backend. If you are using ESPv2, the same CORS settings that apply for ESP [1] apply for ESPv2, although ESPv2 has further config options [2]

Regards
────────────────────

Trevor Pfiz

unread,
Oct 9, 2020, 12:37:53 PM10/9/20
to api-gateway-users
Is there a timetable for when CORS support would be available?  This is a deal-breaker for me to use the API Gateway service as I have a React + GraphQL application that is reaching out to the API Gateway endpoint to run a Cloud Function that gets a prediction from the AI Platform.  Is the solution in the meantime to use ESPv2 for this use-case?

Thanks,
Trevor Pfizenmaier

Chris Latimer

unread,
Oct 9, 2020, 4:26:45 PM10/9/20
to Trevor Pfiz, api-gateway-users
We expect to have CORS support available in H1 2021. In the meantime, as a work around you should be able to create a function/service that handles the preflight CORS request and proxy that through API Gateway. Not ideal I know, but it should work as a temporary solution until we are able to deliver this as an official feature within API Gateway.

--
You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/1843d23c-231f-4cdc-8e47-3ea02481e0c1n%40googlegroups.com.


--

Chris Latimer | Product Manager, API Management | clat...@google.com | 1-614-596-8090

Trevor Pfiz

unread,
Oct 10, 2020, 1:46:46 PM10/10/20
to api-gateway-users
Awesome, thank you for the response Chris.  I have been able to set ESPv2 up to do what I would want with API Gateway + CORS support, so I should be good to go with that solution for now.

Thanks,
Trevor Pfizenmaier

Minon Weerasinghe

unread,
Oct 11, 2020, 3:03:58 AM10/11/20
to api-gateway-users
Hi Trevor would you be able to give more details as to how you were able to solve the issue. I've updated the API config to allow cors and tried passing the Access-Control-Allow-Origin in the response header from the cloud function but the API Gateway seems to filter it out. Google API Gateway seems very promising and given our entire infrastructure is based on Google/Firebase I'm not willing to give up just yet and the CORS config is the one thing that has put a halt on my work.

Anish Khattar

unread,
Dec 25, 2020, 6:24:16 PM12/25/20
to api-gateway-users
Another way to solve this issue is to configure the "options" method in your open API config. When the browser makes the initial CORS request the request method is set to "OPTIONS". For example here is how I configured one of the endpoints in my config

/create:
    post:
      summary: Create a new account
      parameters:
        - in: body
          name: user
          description: The user to create
          schema:
            type: object
            required:
              - name
              - username
              - password
            properties:
              name:
                type: string
              username:
                type: string
              password:
                type: string
      responses:
        200:
          description: Account succesfully created
        409:
          description: Username/email already exists
    options:
      operationId: create-cors
      responses:
        200:
          description: Success

Anish Khattar

unread,
Dec 25, 2020, 6:38:02 PM12/25/20
to api-gateway-users
Also forgot to mention that you will need handle the OPTIONS request in your backend and set the appropriate headers in the response required by CORS.

Gerald Yeong

unread,
Dec 29, 2020, 3:35:14 AM12/29/20
to api-gateway-users
Hi all, my setup is from the API gateway to my cloud run nodejs instance. I've set CORS via my cloud run nodejs instance. Not sure if this is what you are looking for.

Rajthilak Ravikumar

unread,
Feb 26, 2021, 1:09:50 AM2/26/21
to api-gateway-users
swagger: "2.0"
host: "my-cool-api.endpoints.my-project-id.cloud.goog"
x-google-endpoints:
- name: "my-cool-api.endpoints.my-project-id.cloud.goog"
  allowCors: True

Note: host and name should have the same API endpoint name

Denis Loginov

unread,
Mar 4, 2021, 12:57:16 AM3/4/21
to api-gateway-users
One other possible "dummy" OPTIONS backend can be a bucket: https://cloud.google.com/storage/docs/cross-origin

Stephen Gaffney

unread,
Jun 10, 2021, 11:19:24 AM6/10/21
to api-gateway-users
Is there any update on supporting CORS in API Gateway? 

Sunil Poudél

unread,
Jun 23, 2021, 7:03:42 AM6/23/21
to api-gateway-users

With the help of the following:

I am able to bypass the CORS check from API Gateway, But when we enabled security: (firebase authentication) in api-config.yml for API Gateway,  it is throwing the CORS error again. It will be great help if anyone can help on to fix this issue.

Thanks.

Alexandre Thenorio

unread,
Jun 23, 2021, 8:36:03 AM6/23/21
to api-gateway-users
For a GRPC backend there is no solution at the moment. You can bypass some of the CORS issues by appending some headers to the response using an external load balancer in front of the api gateway but as soon as you run into an use case where the browser sends OPTION (Which is not uncommon) you are stuck as there is no way to handle an OPTION request in the grpc server nor can you tell the api gateway config to send it somewhere else.

Ben Calnan

unread,
Aug 4, 2021, 10:20:31 AM8/4/21
to api-gateway-users
@Sunil Managed to get it working with the options method and firebase auth, but only if firebase auth is not set up on the options call itself i.e. set up on the GET/POST etc but not the options.

Stefano Giostra

unread,
Aug 5, 2021, 4:04:35 AM8/5/21
to api-gateway-users
Hi @"Ian Carvalho"
I adopted with success, the solution indicated by @"Anish Khattar" on an API Gateway for a Cloud Function adding obivously, a method in the Cloud Funtion to manage the option REST call, as showed by the google doc

```
def handler(request):
    if request.method == 'OPTIONS':
        return cors_enabled_function()
   ....
   ....
   ....
```

Dulce Hernandez Cruz

unread,
Aug 5, 2021, 9:13:19 AM8/5/21
to api-gateway-users
The last answer worked for me https://stackoverflow.com/questions/64281334/cors-errors-when-trying-to-fetch-from-new-google-cloud-api-gateway.
I was trying to make a DELETE request from the browser, which returned first the OPTIONS request, but by following the suggested solution, it works now.

Marcin Radlak

unread,
Aug 11, 2021, 4:04:38 AM8/11/21
to api-gateway-users
Hello @Chris Latimer. You mentioned it is expected to have CORS support available in H1 2021. What's the status? Is it possible to release the support this year?

Zion Liu

unread,
Oct 23, 2021, 8:41:01 AM10/23/21
to api-gateway-users
It is late of Oct already, can we have a status of when CORS support will be available.

Nandan Sridhar

unread,
Oct 23, 2021, 2:06:25 PM10/23/21
to Zion Liu, api-gateway-users
Hello Zion, We have a change to our plans for delivering this feature in API Gateway. At the moment we do not have plans to add support for CORS in API Gateway. I apologize for any inconvenience this caused to your plans for adoption of the service.  If you wish to discuss alternatives, future plans/roadmaps I'm happy to schedule a call with you.


On Sat, Oct 23, 2021 at 5:41 AM Zion Liu <bel...@gmail.com> wrote:
It is late of Oct already, can we have a status of when CORS support will be available.

--
You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.
Message has been deleted

dhananjay bhau

unread,
Apr 14, 2022, 1:10:23 PMApr 14
to api-gateway-users
This is very much required functionality 

Josh Einhorn

unread,
Apr 14, 2022, 4:37:22 PMApr 14
to dhananjay bhau, api-gateway-users
Hi Dhananjay,

As Nandan said, this is not currently on our roadmap (apologies for any previous miscommunication). As a short term "workaround", have you looked at using ESPv2?

-Josh



--
Josh Einhorn | Tech Lead & Manager | joshe...@google.com | 1-215-837-1102

dhananjay bhau

unread,
Apr 15, 2022, 5:56:41 AMApr 15
to Josh Einhorn, api-gateway-users
I am able to do it by workaround OPTIONS .
I worked with other cloud provider as well  and there its just a minute of work. Here i struggled for 2-3 days. Just provided my feedback for betterment of GCP gateway.

Andreas Lindfalk

unread,
Apr 21, 2022, 11:10:00 AMApr 21
to api-gateway-users
I got a workaround working for the gRPC API Gateway with these steps:

Step 1: Add an additional custom OPTIONS mapping:

rpc ListLocations (ListLocationsRequest) returns (ListLocationsResponse) {
option (google.api.http) = { custom:
{
kind: "options"
path: "/v1/patient/locations"
};
additional_bindings {
get: "/v1/patient/locations"
}
};
};

Step 2: Enable "allow_cors" on the endpoint:

type: google.api.Service
config_version: 3
name: patient-api-something.apigateway.<project id>.cloud.goog
title: Patient API Gateway
endpoints:
- name: patient-api-something.apigateway.<project id>.cloud.goog
allow_cors: true

Step 3: Respond to OPTIONS requests in the backend:

func newHttpAndGrpcMux(httpHandler http.Handler, grpcHandler http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "*, Authorization")
w.Header().Set("Access-Control-Expose-Headers", "*")
w.Header().Set("Access-Control-Max-Age", "1728000")

if r.Method == "OPTIONS" {
return
}

if r.ProtoMajor == 2 && strings.HasPrefix(r.Header.Get("content-type"), "application/grpc") {
grpcHandler.ServeHTTP(w, r)
return
}
httpHandler.ServeHTTP(w, r)
})
}

So in other words, make the http/json transcoding handle OPTIONS requests and then instruct the endpoint to allow these requests and finally respond to these requests before delegating to the actual gRPC handlers in the backend. And yes, I'm aware that the cors headers in the example are a bit to "allowing" :)

Tushar Baradia

unread,
Jun 3, 2022, 7:55:48 AMJun 3
to api-gateway-users
Hello

I have tried so many methods but it giving me cors error only when I'm passing out expired access token.

Otherwise it is working fine.

Can anyone help me regarding this?
I want that anyone who pass expired token should not get cors error in api gateway.
Here we are not using ESP or V2.

Just using API gateway, and cors is handled in config part..
Message has been deleted

Ivan Barišić

unread,
Jul 12, 2022, 8:40:49 AMJul 12
to api-gateway-users
Any info on CORS functionality under API Gateway? We have added following to our config.yaml, but no luck whatsoever. Transcoded request are going ok, but GRPC OPTION request is returning 405 Method not allowed. In order to get REST working out, we added load balancer with response headers in front. 
```
endpoints:
- name: <name>.apigateway.<project_id>.cloud.goog
allow_cors: true
```

Reply all
Reply to author
Forward
Message has been deleted
0 new messages