Nav

About CORS on Mule Runtime 4.x

CORS complies with Cross-Origin Resource Sharing W3C Recommendation 16 January 2014. From API Manager, you can apply CORS as a policy using the configuration steps described in Jul 2017 documentation. See links below.

cors mule4

Running under Mule Runtime, and connected to API Manager, you can modify the configuration of the CORS policy while the API is up and running.

Important: The CORS policy cannot be ordered. This isn’t a technical limitation, but rather by design. MuleSoft does not know of any customer who has a reason to put CORS in any order but first.

No OPTIONS request can reach the backend if CORS is configured, as this request is treated as a Preflight according to the CORS-compliant RFC.

CORS as an Interceptor

In Mule Runtime 4.0, the CORS Interceptor is a element in the HTTP Listener configuration. To be consistent, its configuration is the same as in the policy.

The CORS configuration structure may change whether it is configured as a public resource or for a selected group of origins. The structure of the latter option is:

<http:listener-interceptors>
   <http:cors-interceptor allowCredentials="optional boolean value (true/false)">
       <http:origins> (collection of origins)
           <http:origin url="http://origin.com" accessControlMaxAge="integer value">
               <http:allowed-methods>
                   <http:method methodName="method 1"/>
	    ...
                   <http:method methodName="method n"/>
               </http:allowed-methods>
               <http:allowed-headers>
                   <http:header headerName="header 1"/>
 	    ...
                   <http:header headerName="header n"/>
               </http:allowed-headers>
               <http:expose-headers>
                   <http:header headerName="header 1"/>
	    …
                   <http:header headerName="header n"/>
               </http:expose-headers>
           </http:origin>
       </http:origins>
   </http:cors-interceptor>
</http:listener-interceptors>

The public resource configuration looks like this:

<http:listener-interceptors>
   <http:cors-interceptor allowCredentials="optional boolean value (true/false)">
       <http:origins>
           <http:public-resource/>
       </http:origins>
   </http:cors-interceptor>
</http:listener-interceptors>