CORS on AppEngine Java

[Joshua Fox]

In AppEngine  Python and Go, one defines CORS headers in app.yaml 

But in Java, the documentation does not mention this  How do I do the equivalent in Java?

--

 

JOSHUA FOX

Director, Software Architecture | Freightos

T (Israel): +972-545691165 | T (US):  +1-3123400953  

Smooth shipping.

[Les Vogel]

See https://enable-cors.org/server_appengine.html

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CAD%3DB7cN%3Du7OH6eEL7jRZGf9eUo3YAOecu7UPPkt-7mLdWFG4oA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

•  Les Vogel   •  Cloud Developer Relations   •  le...@google.com   •  +1-408-676-7023

[Les Vogel]

[bcc: a couple googlers]

Hi Joshua,

Sorry for the terse response earlier. The enable-cors answer will work in many cases, but is incomplete, but you'll find yourself adding it to all your pages.  Of course, a full answer is a lot more complicated and depends on what you are trying to serve and where you are serving it from.  Your static assets will need one kind of CORS headers similar to what the documentation is showing you for Go / Python.  It's been awhile since I did that for Java, so I'll need to look that up if that's what you're looking for.

If you are trying to serve dynamic content that needs CORS headers, then you'll probably want to look at: https://stackoverflow.com/questions/8303162/jetty-cross-origin-filter and https://howtodoinjava.com/servlets/java-cors-filter-example/ 

Take a look at that, and let me know if that doesn't work for you and I'll try to look up what to change in appengine-web.xml for CORS support.

Les

[Les Vogel]

[bcc: three googlers]

Hi Joshua,

I read the docs a bit closer and if you look under <static-files>, it gives a CORS example without ever mentioning CORS.  (I've asked that this gets fixed) . Again, it's only for static content.

Les

[Joshua Fox]

Thank you, Les,

However, Google Cloud serves our content from multiple  domains besides our own, including appspot.com, google.com, googleusercontent.com, googleapis.com, and many others. How can we allow access to these domains (as well as our own) with  CORS headers, yet maintain security against CSRF?

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CAGB1p5j1GJ5eWF0osf%3D2t%3Dy27v_Q9tZXoafQbsHbyAdG5guF1A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

 

[Les Vogel]

Hi Joshua,

First off, CORS isn't really a protection against CSRF.  For CSRF mitigation ideas take a look here.  CORS is mostly a protection against asset and bandwidth theft. (See Why CORS?)

Instead of thinking about CORS first, you really want to think about your web application.  What assets will it be requesting and where do they live.  Your primary assets determine the rules that work for free.  (ie. you can always load things from the same spot).  (typically your domain or an *.appspot.com address) . The other spots need to be told that they can permit / give permission for your app to access the data.

As I mentioned earlier, static assets on App Engine are set in your appengine-web.xml or app.yaml files.  Dynamic assets will need code, for Java Servlet's it's usually easitest to add a filter that runs before the Servlet.  Other frameworks have similar mechanisms.

GoogleAPI's depend on the service your accessing.  The most common is Cloud Storage which has a page on CORS and configuration.  Other Google properties & API's that expect to be accessed via a web application will be configured appropriately or provide a mechanism.

Hope that helps,

Les

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CAD%3DB7cMvXMhteD6pkQnjPo5VXuoV66jSaXUhnKxCK5-dJMRdUA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.