AEM as cloud service multi domain CORS configuration

Question

I'm running into an issue with my dispatcher configurations, debugging this is proving out to be insanely challenging.

Env -

AEM as cloud service. There are a couple of content fragment model APIs that a web app is consuming. The web app has 3 non-prod environments, each with its own domain and all three domains are hitting the same aem instance to consume model APIs.

Issue -

CORS response caches only the first requester (say domain1.com) until cache expiry. Subsequent CORS requests from other origins (say domain2.com and domain3.com) fail since the cached origin is different to the current requester's origin (even though they are an 'allowed origin' under our policy)

Access to XMLHttpRequest at 'https://publish-p12345-e12345.adobeaemcloud.com/content/wknd/us/en/api/experiments.model.json' from origin 'https://domain2.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://domain1.com' that is not equal to the supplied origin.

AEM setup -
1. OSGi config (com.adobe.granite.cors.impl.CORSPolicyImpl)

{
  "allowedpaths": [".*"],
  "alloworigin": ["https://domain1.com","https://domain2.com","https://domain3.com"],
  "alloworiginregexp": [],
  "exposedheaders": [],
  "maxage:Integer": 1800,
  "supportedheaders": ["Origin","Accept","X-Requested-With","Content-Type","Access-Control-Request-Method","Access-Control-Request-Headers"],
  "supportedmethods": ["HEAD","GET"],
  "supportscredentials": false
}

2. /conf.d/available_vhosts/wknd.vhost

<Directory />
....
Header merge Vary Origin
....
</Directory>

<IfModule mod_headers.c>
# Multi domain CORS support
SetEnvIfNoCase Origin "https?://(www\.)?(domain1\.com|domain2\.com|domain3\.com)(:\d+)?$" ACAO=$0
Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO
Header set Vary Origin

<LocationMatch "\.(json)$">
Header set Cache-Control "max-age=600,stale-while-revalidate=86400,stale-if-error=86400" "expr=%{REQUEST_STATUS} < 400"
Header set Age 0
</LocationMatch>
</IfModule>

Also tried,

removing the Vary Origin lines
Header always add Access-Control-Allow-Origin, all to no avail.

3. Not caching any CORS headers in conf/dispatcher.d/available_farms/wknd.farm/publishfarm/headers

/headers {
 "Cache-Control"
 "Content-Disposition"
 "Content-Type"
 "Expires"
 "Last-Modified"
 "X-Content-Type-Options"
 "Surrogate-Control"
}

4. Adding access-control headers to conf/dispatcher.d/clientheaders

$include "./default_clientheaders.any"

"Origin"
"Access-Control-Request-Method"
"Access-Control-Request-Headers"

Can someone who has tackled this in the past guide here please ?
Key references :
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/dispatcher-cors-configuration-gap-in-documentation/m-p/297760

https://experienceleague.adobe.com/docs/experience-manager-learn/foundation/security/understand-cross-origin-resource-sharing.html?lang=en

https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/deployments/configurations/cors.html?lang=en

Tagging key people from various post's i've referred. Thanks.

@dorianhallward @vishwanath881 @shelly-goel @vijayalakshmi_s @rwunsch-adobe

arunpatidar · Accepted Answer

Thanks for the reply. I'm not sure about the source of your info but MDN says

Only a single origin can be specified. If the server supports clients from multiple origins, it must return the origin for the specific client making the request.

I have tried adding a list to Access-Control-Allow-Origin and it fails to compile.

Can you try with

Header always set Access-Control-Allow-Origin "http://example.com https://example2.com"

arunpatidar · Answer

The issue could be atHeader set Access-Control-Allow-Origin %{ACAO}e env=ACAOwhere you are just setting just one domain,Rely on just AEM CORS changes or try to set all the possible domains based on environment specific file.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded