0

I'm running into an issue with my dispatcher CORS configurations, debugging this is proving out to be insanely challenging.

Env -

AEM as cloud service. There are a couple of content fragment model APIs that a web app is consuming. The web app has 3 non-prod environments, each with its own domain and all three domains are hitting the same aem instance to consume model APIs.

Issue -

CORS response caches only the first requester (say domain1.com) until cache expiry. Subsequent CORS requests from other origins (say domain2.com and domain3.com) fail since the cached origin is different to the current requester's origin (even though they are an 'allowed origin' under our policy).

Access to XMLHttpRequest at 'https://publish-p12345-e12345.adobeaemcloud.com/content/wknd/us/en/api/experiments.model.json' from origin 'https://domain2.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://domain1.com' that is not equal to the supplied origin.

AEM setup -

  1. OSGi config (com.adobe.granite.cors.impl.CORSPolicyImpl)
{
  "allowedpaths": [".*"],
  "alloworigin": ["https://domain1.com","https://domain2.com","https://domain3.com"],
  "alloworiginregexp": [],
  "exposedheaders": [],
  "maxage:Integer": 1800,
  "supportedheaders": ["Origin","Accept","X-Requested-With","Content-Type","Access-Control-Request-Method","Access-Control-Request-Headers"],
  "supportedmethods": ["HEAD","GET"],
  "supportscredentials": false
}
  1. /conf.d/available_vhosts/wknd.vhost
<Directory />
....
Header merge Vary Origin
....
</Directory>

<IfModule mod_headers.c>
# Multi domain CORS support
SetEnvIfNoCase Origin "https?://(www\.)?(domain1\.com|domain2\.com|domain3\.com)(:\d+)?$" ACAO=$0
Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO
Header set Vary Origin

<LocationMatch "\.(json)$">
Header set Cache-Control "max-age=600,stale-while-revalidate=86400,stale-if-error=86400" "expr=%{REQUEST_STATUS} < 400"
Header set Age 0
</LocationMatch>
</IfModule>

Also tried,

  • removing the Vary Origin lines
  • Header always add Access-Control-Allow-Origin , all to no avail.
  1. Not caching any CORS headers in conf/dispatcher.d/available_farms/wknd.farm/publishfarm/headers
/headers {
 "Cache-Control"
 "Content-Disposition"
 "Content-Type"
 "Expires"
 "Last-Modified"
 "X-Content-Type-Options"
 "Surrogate-Control"
}
  1. Adding access-control headers to conf/dispatcher.d/clientheaders
$include "./default_clientheaders.any"
"Origin"
"Access-Control-Request-Method"
"Access-Control-Request-Headers"

Can someone who has tackled this in the past guide here please ?

SubSul
  • 2,523
  • 1
  • 17
  • 27

1 Answers1

0

I am dealing with the exact same issue with CORS requests at the moment and have read on several similar forums that the subsequent requests get blocked. Have you tried to remove the OSGI configuration and just run the vhost configuration alone? It's possible that the two configurations are conflicting each other.

jPring
  • 1
  • 1
  • Nope, haven't tried this. I'll get this tested and share a note here. – SubSul May 22 '23 at 11:25
  • removed osgi configs and had the vhost configs alone handle the requests, not working my friend! if you come across a solution, pls let me know – SubSul May 22 '23 at 22:50
  • 1
    Going back through some old notes I realised that after you make any changes to your Granite CORS configuration you must clear cache on the resource you are trying to access. I believe this can be done via dispatcher using sudo /bin/rm -f {content path}. It may not help but if you can clear the cache on your requested resource once you have removed the OSGI config to see whether the conflict stops then. – jPring May 31 '23 at 09:12
  • 1
    Hello @SubSul, I believe I have found your solution for this. So what you need to do is Remove any OOTB Configurations for CORS (Delete the Configuration). In the dispatcher add the following rules in the vhost config : SetEnvIf Origin "http(s)?://(www\.)?(google.com|staging.google.com|development.google.com|otherdomain.example|dev02.otherdomain.example)$" AccessControlAllowOrigin=$0 Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin Header merge Vary Origin Reload Disp – jPring Jun 16 '23 at 11:38
  • 1
    Here is a link to a similar Stack Overflow post that should help take you through the process : https://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains – jPring Jun 16 '23 at 11:41