CORS Protocol Support
Add the CORS (cross-origin resource sharing) Protocol Support behavior if your property contains protected resources that can be requested by another domain that you may not control. This helps to specify which third-party web pages can request your content.
Why you need it
If your property serves protected content which may be accessed by other web pages, you can use the CORS Protocol Support behavior to enforce which web pages can request your content.
You may either add the CORS Protocol Support to optimize your content delivery, or—depending on the product you use and your property setup—this behavior might be required. For example, you need to add this behavior to your property if you use Bot Manager Premier's inline telemetry feature to cover cross-domain requests. If you need help determining which case applies to your configuration, contact your Professional Services representative.
Enabling the CORS behavior may permit requests which were previously blocked. Make sure this behavior is in line with your security settings or contact your Professional Services representative.
How it works
Imagine that a web page at https://www.example.com makes an AJAX request for the content served by your property. By configuring the CORS Protocol Support behavior, you can permit these requests, while denying requests for the same content from a different web page, such as https://www.invalid.com.
You can find more detailed specifications for this protocol in the WHATWG's Fetch Living Standard. It only applies to a limited number and type of requests from browsers. CORS doesn’t apply to requests from command-line tools. It is the browser that decides whether a request uses CORS. In general, CORS protocol is most frequently used when a web page uses AJAX to request a JavaScript file from another domain.
Terminology
In CORS terminology, “origin” means the fully-qualified domain of the web page that is making the request for your content, including the scheme (http or https) and the port, typically defaulted. For example, a web page with a URL of https://www.example.com/this/is/a/page which is making a request for your protected content has a CORS origin of https://www.example.com:443.
The CORS usage of “origin” is different from the common Akamai usage of “origin” that means your backend server from which your content is retrieved and served through Akamai.
In this document, use of the word “origin” should be taken to have the CORS meaning.
Features and options
| Field | What it does | Sub-options |
|---|---|---|
Enabled | Enables or disables this behavior. | N/A |
Allow Origins | Select whether to accept requests from any web page domain or from specific web page domains. |
|
Origins | With Allow Origins set to Specified, displays a list of the specified web page domains to accept requests from. Requests from web pages that use other domains are rejected. | N/A |
Allow Credentials | Accepts requests with credentials, such as cookies and client certificates. Allows browsers to process Set-Cookie responses. | N/A |
Allow Headers | Select which request headers to allow in requests for your content. |
|
Headers | With Allow Headers set to Specified, select one or more request headers you want to allow. Requests with other headers are rejected. | N/A |
Methods | Specifies any combination of the following methods: | N/A |
Expose Headers | Lists names of response headers that the requesting browser can access using JavaScript. Headers not specified here can't be accessed this way by the browser. This feature supports variable expression syntax. Type | N/A |
Preflight Max Age | The number of seconds that the browser should cache the response to a preflight request. By specifying this value, you can reduce the number of requests the browser sends to your property. | N/A |
Implementation with other Akamai products
Bot Manager Premier
How you set up CORS Support behavior depends on whether requests originate from the same domain or a different domain, and whether protected requests are HTML form submissions.
| Request origin | Behavior setup |
|---|---|
Same-domain HTML form submissions | Add the behavior with no setting changes. |
Cross-domain HTML form submissions | Add the behavior with no setting changes. |
Same-domain non-HTML form submissions (AJAX requests) | Set up CORS Support in the behavior to allow credentials. |
Cross-domain non-HTML form submissions (AJAX requests) | Set up CORS Support in the behavior to allow the |
For more details, read about this behavior in the Bot Manager Help.
Common Media Client Data & AMD
Are you using Adaptive Media Delivery (AMD) to deliver your content and want to support Common Media Client Data (CMCD) with your media player? If so, you'll need to set up the CORS Protocol Support behavior to support it. Have a look at Common Media Client Data & AMD for full details.
Updated 1 day ago