Search code examples
testingcorsmuleanypoint-studiocrossdomain-request.js

How to test CORS with Mule


I am using Anypoint Studio 6.1 and Mule 3.8.1 and have a mule RESTful application that I want to stop CORS requests from being accepted by the application.

The application has been setup to do this but what is the best way to prove this is working?

From what I have read so far, the examples build their own application and I would just like to do something like send a request configured as a CORS request in Postman. How can I do this?

Thanks


Solution

  • I want to stop CORS requests from being accepted by the application. I would just like to do something like send a request configured as a CORS request in Postman

    You mean you want to block cross-origin requests just from Web applications running in browsers?

    Given that browsers are the only tools that enforce CORS restrictions, and they only do it for requests from code running in actual Web apps—not for requests from extension such as Postman that aren’t bound by the same-origin policy that Web apps are—then you’re not going to be able to use CORS to block requests from Postman or from code not running from a Web app in a browser.

    The application has been setup to do this but what is the best way to prove this is working?

    Confirm the service isn’t sending an Access-Control-Allow-Origin response header—which it never would be unless either it were explicitly configured to do that or it’s built using some server-side programming environment/framework that adds Access-Control-Allow-Origin by default.

    But since browsers are the only tools that are ever actually going to block cross-origin requests due to lack of Access-Control-Allow-Origin, you really can only test the blocking in a Web app.

    Otherwise you can at least test outside the browser to see what response headers are returned by the server the requests are sent to. The main thing to do in that case is to be sure the request send an Origin header (some servers only send Access-Control-Allow-Origin if a request includes an Origin header—because browsers are the only tools that automatically send Origin.

    So, using curl for example, you’d want to do this:

    curl -H "Origin: https://example.com" https://service.to.test/