Hola Alejandro,
We have created a policy fragment for our RESTful APIs which handles, amongst other stuff, CORS on the gateway. Please have a look at the attached policy (API Policy and Policy Fragment (ApiPolicyWithCORS)). Note: Enable comments for explantions of the various steps. At the end, this policy allows us to configure the CORS behaviour per API policy but still using one generic fragment for all API policies...
In a nutshell what the policy does:
- Check if it's a "normal" API request or a CORS preflight request
- Normal API request:
-- Check if it's a simple CORS request
-- Validate incoming simple CORS headers and set response CORS headers (for error messages)
-- Perform steps necessary for API policy (only routing in the attached sample policy)
-- Set CORS response headers (for api responses from the backend)
- Preflight CORS request:
-- Validate incoming CORS preflight headers and set response CORS headers
Peter