Is there any reason why the CORS assertion cannot be used in older versions of the gateway? Is there anything special about 9.1 that enables this assertion? I ask because I have an 8.4 gateway instance running where I could potentially use it. Any chance it could be made a tactical package?
You should contact support with your question. I know there is a CORS policy available for 9.0, maybe it also works on 8.4.
For a sample policy prior to 9.1, please review this post Handling CORS on the Gateway .
Director, CA Support