I have implemented a very limited CORS policy however Azure API Management allows traffic from any origin. Why is this happening / what might I be doing wrong?
I have applied restrictive policy (see below) at "All APIs" scope right down to the individual API scope (see below)
<policies>
<!-- Throttle, authorize, validate, cache, or transform the requests -->
<inbound>
<cors allow-credentials="false" terminate-unmatched-request="true">
<allowed-origins>
<origin>https://added_one_origin_its_a_requirement_to_save_the_policy/</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
</inbound>
<!-- Control if and how the requests are forwarded to services -->
<backend>
<base />
</backend>
<!-- Customize the responses -->
<outbound>
<base />
</outbound>
<!-- Handle exceptions and customize error responses -->
<on-error>
<base />
</on-error>
</policies>
I have tested this API from the API Management plane (test console), a custom app on my machine, command line, browser, postman (using a custom Origin header, value= https://disallowed)
In all scenarios, my requests were allowed through.
I expected CORS to have blocked the requests.
Why is this happening?
Note - I have deployed APIM in internal mode (no external access).
I have implemented a very limited CORS policy however Azure API Management allows traffic from any origin. Why is this happening / what might I be doing wrong?
I have applied restrictive policy (see below) at "All APIs" scope right down to the individual API scope (see below)
<policies>
<!-- Throttle, authorize, validate, cache, or transform the requests -->
<inbound>
<cors allow-credentials="false" terminate-unmatched-request="true">
<allowed-origins>
<origin>https://added_one_origin_its_a_requirement_to_save_the_policy/</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
</inbound>
<!-- Control if and how the requests are forwarded to services -->
<backend>
<base />
</backend>
<!-- Customize the responses -->
<outbound>
<base />
</outbound>
<!-- Handle exceptions and customize error responses -->
<on-error>
<base />
</on-error>
</policies>
I have tested this API from the API Management plane (test console), a custom app on my machine, command line, browser, postman (using a custom Origin header, value= https://disallowed)
In all scenarios, my requests were allowed through.
I expected CORS to have blocked the requests.
Why is this happening?
Note - I have deployed APIM in internal mode (no external access).
Share Improve this question asked Feb 5 at 19:41 OldDustyOldDusty 11 Answer
Reset to default 0You have a fundamental misunderstanding of how CORS works.
The same origin policy is enforced by the browser for requests initiated by pages hosted on different origins.
It exists to prevent webpages (run by Mallary J Evilbod) from accessing other websites for whom the browser owner is an authorised user (via their cookies, position behind a firewall, etc.)
You seem to think it is there to control which applications can access a site. It isn’t.
CORS can be used to selectively turn the Same Origin Policy off.
Of the five test environments you describe, four of them are not affected by CORS.
The one that can be, the browser, would only be affected if you were making a request where it was relevant — e.g. using fetch across origins — and even then it would (at best) tell you that the Access-Control-Allow-Origin header had the wrong value instead of being missing.