PingAccess

Adding a cross-origin request rule

Use cross-origin resource sharing (CORS) to let a web server grant access to restricted resources, such as fonts, JavaScript, and images, to an application that’s served by another domain. This is done without granting access to those resources beyond a list of predefined origin servers.

About this task

Before a CORS request is sent, the originating web server generally sends a pre-flight OPTIONS request if the client’s request includes credentials. This pre-flight request is used to determine if the target server will permit the originating web server to process CORS requests.

PingAccess can evaluate the headers provided in a CORS request to grant or deny access to resources.

If the target application has an Application Type of API, you can allow the protected application to handle the request instead of PingAccess.

To do this with a resource path that is protected by PingAccess and requires user authentication, configure a second resource with the same path pattern. Make sure to set the Methods field to OPTIONS and clear the Anonymous option. This configuration allows the API request to be handled anonymously.

Steps

  1. Click Access, then go to Rules > Rules.

  2. Click Add Rule.

  3. In the Name field, enter a unique name up to 64 characters long.

    Special characters and spaces are allowed.

  4. In the Type list, select Cross-Origin Request.

  5. In the Allowed Origins field, enter one or more origin values.

    1. Click New Value to add additional values.

      Avoid using a value of * in this field. While this is a valid configuration, it is an insecure practice.

  6. (Optional) To configure additional options, click Show Advanced Settings.

    1. To permit user credentials to be used in determining access, enable Allow Credentials.

    2. If you entered a wildcard in the Allowed Origins field, select the Mask Wildcard Policy checkbox to replace the Access-Control-Allow-Origin response header with the value provided in the request’s Origin header.

    3. To modify the Allowed Request Headers values, use the following options:

      • To add a new header, click New Value.

      • To edit an existing header, click the field and make your changes.

      • To remove an existing header, click the Delete icon.

      The default headers are Authorization, Content-Type, and Accept.

    4. To respond to CORS preflight requests with the expected response header, Access-Control-Allow-Private-Network: true, select Allow Private Access Network.

      Google Chrome CORS preflight requests will soon include a new request header: Access-Control-Request-Private-Network: true. If preflight requests that contain this header do not receive a Access-Control-Allow-Private-Network: true header in response, access requests will be denied.

      Learn more about these headers in https://developer.chrome.com/blog/private-network-access-preflight?hl=en#what_to_do_if_your_website_is_affected.

    5. To make specific response headers available to the client that originated the cross-origin request, enter the headers in the Exposed Response Headers field.

    6. To add additional headers to the list, click New Value.

    7. To define the request methods allowed in cross-origin requests, enter the desired overrides in the Overridden Request Methods field.

    8. To modify the amount of time that the pre-flight OPTIONS request is cached, enter the maximum age (in seconds) in the OPTIONS Cache Max Age field.

      The default is 600 seconds.

  7. Click Save.