Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

AEM as cloud service multi domain CORS configuration

Avatar

Level 3

I'm running into an issue with my dispatcher configurations, debugging this is proving out to be insanely challenging.

Env -

AEM as cloud service. There are a couple of content fragment model APIs that a web app is consuming. The web app has 3 non-prod environments, each with its own domain and all three domains are hitting the same aem instance to consume model APIs.

 

Issue -

CORS response caches only the first requester (say domain1.com) until cache expiry. Subsequent CORS requests from other origins (say domain2.com and domain3.com) fail since the cached origin is different to the current requester's origin (even though they are an 'allowed origin' under our policy)

 

 

Access to XMLHttpRequest at 'https://publish-p12345-e12345.adobeaemcloud.com/content/wknd/us/en/api/experiments.model.json' from origin 'https://domain2.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://domain1.com' that is not equal to the supplied origin.

 

 

AEM setup -
1.
OSGi config (com.adobe.granite.cors.impl.CORSPolicyImpl)

 

{
  "allowedpaths": [".*"],
  "alloworigin": ["https://domain1.com","https://domain2.com","https://domain3.com"],
  "alloworiginregexp": [],
  "exposedheaders": [],
  "maxage:Integer": 1800,
  "supportedheaders": ["Origin","Accept","X-Requested-With","Content-Type","Access-Control-Request-Method","Access-Control-Request-Headers"],
  "supportedmethods": ["HEAD","GET"],
  "supportscredentials": false
}

 

 

2. /conf.d/available_vhosts/wknd.vhost

 

<Directory />
....
Header merge Vary Origin
....
</Directory>

<IfModule mod_headers.c>
# Multi domain CORS support
SetEnvIfNoCase Origin "https?://(www\.)?(domain1\.com|domain2\.com|domain3\.com)(:\d+)?$" ACAO=$0
Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO
Header set Vary Origin

<LocationMatch "\.(json)$">
Header set Cache-Control "max-age=600,stale-while-revalidate=86400,stale-if-error=86400" "expr=%{REQUEST_STATUS} < 400"
Header set Age 0
</LocationMatch>
</IfModule>

 

Also tried,

  • removing the Vary Origin lines
  • Header always add Access-Control-Allow-Origin, all to no avail.

3. Not caching any CORS headers in conf/dispatcher.d/available_farms/wknd.farm/publishfarm/headers

 

/headers {
 "Cache-Control"
 "Content-Disposition"
 "Content-Type"
 "Expires"
 "Last-Modified"
 "X-Content-Type-Options"
 "Surrogate-Control"
}

 

 

4. Adding access-control headers to conf/dispatcher.d/clientheaders

 

$include "./default_clientheaders.any"

"Origin"
"Access-Control-Request-Method"
"Access-Control-Request-Headers"

 

Can someone who has tackled this in the past guide here please ?
Key references :
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/dispatcher-cors-configurat...

https://experienceleague.adobe.com/docs/experience-manager-learn/foundation/security/understand-cros...

https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/d...

 

Tagging key people from various post's i've referred. Thanks.

@dorianhallward @vishwanath881 @shelly-goel @Vijayalakshmi_S @Robert_Wunsch 

 

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Can you try with

Header always set Access-Control-Allow-Origin "http://example.com https://example2.com"



Arun Patidar

View solution in original post

8 Replies

Avatar

Community Advisor

The issue could be at

Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO

where you are just setting just one domain,

Rely on just AEM CORS changes or try to set all the possible domains based on environment specific file. 



Arun Patidar

Avatar

Level 3

@arunpatidar Access-Control-Allow-Origin unfortunately accepts only single value. I'm trying to stay away from wild card due to security recommendations.

Avatar

Community Advisor

I think you can set multiple values using a comma separator

 

Access-Control-Allow-Origin: <domain> , where <domain> is either a list of specific domains or a wildcard to allow all domains



Arun Patidar

Avatar

Level 3

Thanks for the reply. I'm not sure about the source of your info but MDN says 

Only a single origin can be specified. If the server supports clients from multiple origins, it must return the origin for the specific client making the request.

I have tried adding a list to Access-Control-Allow-Origin and it fails to compile. 

 

Avatar

Correct answer by
Community Advisor

Can you try with

Header always set Access-Control-Allow-Origin "http://example.com https://example2.com"



Arun Patidar

Avatar

Level 1

Arun,

I got a reply from Adobe support person that we cant not add more than domain in the header

 

is it true ?

i tried putting the headers for CORS issue the way it is suggested but i got attached error.

 

Header set Access-Control-Allow-Origin "https://l.gbsmktotest.fiserv.com https://cvce.voiceoveranything.com"

could you please confirm what am i missing?

Avatar

Community Advisor

Hello @subsul1 

 

May the solution suggested on an another discussion would help:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/dispatcher-cors-configurat... 

 

Summarizing comment from @Robert_Wunsch :

 

I think the best solution is to handle "Multi-Domain-CORS" for AEM - outside of AEM and dispatcher. Do NOT use AEMs OSGi Config for "Adobe Granite Cross-Origin Resource Sharing Policy OSGi", and do not touch the Dispatcher config.

 

You can handle the CORS security on the Apache level alone (somewhat like SSL termination - handle this on the first device in your control).

 

By my understanding step 1. is also not required, and can actually negatively influence the CORS functionality.

My testing showed that AEM already blocked the request if the request came from a "wrong" domain, and the dispatcher also made some problems when the CORS-OSGi config was configured.

 

I think it is best to NOT configure AEM, you do not need to configure the dispatcher (to passthrough headers), and only configure the Apache to add the following code to the Apache configuration/vHost, and to adjust the reg-ex to hold all your "origin"-domains and sub-domains:

 

<IfModule mod_headers.c>

    SetEnvIfNoCase Origin "https?://(www\.)?(domain1\.com|domain2\.com)(:\d+)?$" ACAO=$0

    Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO

    Header set Vary Origin

</IfModule>

 

I think it is also a good idea to add/merge the VARY-header as "Vary: Origin" to tell an upstream CDN the signal, that separate copies of the responses (content&Header) should be stored in the CDN, depending on the requesting Origin.


Aanchal Sikka

Avatar

Level 3

I tried this, it is not working. The reply is about 5 years old, I'm wondering if anything's changed between now and then.