<div dir="ltr">I attached an image. Also I added different kinds of headers, just to pass in case of "Camel Case" validation<br>Unfortunately the CORS validation still occurs when I use the plugin...<br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-10-02 15:00 GMT-03:00 Marc Savy <span dir="ltr"><<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This is from memory, but no, I don't think so: the API key is needed<br>
before the correct policy chain (including CORS policy) can be<br>
resolved.<br>
<br>
The CORS protocol, when using a custom header, requires a preflight<br>
request, however the preflight does not allow any custom headers to be<br>
set, so we can't currently resolve the correct policy chain.<br>
<br>
We could think about specifically making X-API-Key available for<br>
preflight as I think that should always be okay, but I'll have to<br>
investigate whether there are any downsides.<br>
<br>
Of course, we could continue saying to use a query param in that scenario!<br>
<div class="HOEnZb"><div class="h5"><br>
On 2 October 2017 at 18:37, Eric Wittmann <<a href="mailto:eric.wittmann@redhat.com">eric.wittmann@redhat.com</a>> wrote:<br>
> Just to be clear - if X-API-Key is added as an allowed CORS header in the<br>
> CORS plugin configuration, does that solve the issue?<br>
><br>
> -Eric<br>
><br>
><br>
> On Mon, Oct 2, 2017 at 1:17 PM, Celso Agra <<a href="mailto:celso.agra@gmail.com">celso.agra@gmail.com</a>> wrote:<br>
>><br>
>> So, there is no prob to pass as query param!<br>
>><br>
>> Thanks Marc<br>
>><br>
>> Best Regards,<br>
>><br>
>> Celso Agra<br>
>><br>
>> 2017-10-02 13:49 GMT-03:00 Marc Savy <<a href="mailto:marc.savy@redhat.com">marc.savy@redhat.com</a>>:<br>
>>><br>
>>> Hi Celso,<br>
>>><br>
>>> The query string is encrypted with SSL/TLS.<br>
>>><br>
>>> Regards,<br>
>>> Marc<br>
>>><br>
>>> On 2 October 2017 at 17:40, Celso Agra <<a href="mailto:celso.agra@gmail.com">celso.agra@gmail.com</a>> wrote:<br>
>>>><br>
>>>> Yeah! It is! My concern is because I'm passing the apiKey as a query<br>
>>>> param.<br>
>>>><br>
>>>> I don't know if requests works like this in ssl requests, but I believe<br>
>>>> that query params can be viewed if you have a sniffer, unlike header params.<br>
>>>><br>
>>>> So, I'm probably have to allow X-API-Key header in Apiman requests.<br>
>>>> Would be possible to add this feature in a plugin or maybe in the Apiman?<br>
>>>> I'll take a look in some classes to know how to do that.<br>
>>>><br>
>>>> I'd like to know if it is a feature that will contribute with the<br>
>>>> project.<br>
>>>><br>
>>>> Thanks for your answer Marc.<br>
>>>><br>
>>>> Best Regards,<br>
>>>><br>
>>>> Celso Agra<br>
>>>><br>
>>>><br>
>>>> 2017-10-02 9:18 GMT-03:00 Marc Savy <<a href="mailto:marc.savy@redhat.com">marc.savy@redhat.com</a>>:<br>
>>>>><br>
>>>>> If I understand your questions correctly: by default CORS does not<br>
>>>>> allow any custom headers to be sent in the request. This means that Apiman<br>
>>>>> does not receive the X-API-Key header and necessarily can't figure out how<br>
>>>>> to route the request. The same CORS restriction does not exist with query<br>
>>>>> parameters so if you provide it with the query param you'll be okay.<br>
>>>>><br>
>>>>> Perhaps a (partial) solution to some of these kinds of CORS issues is<br>
>>>>> for Apiman to always indicate that the X-API-Key header is allowed.<br>
>>>>><br>
>>>>> Regards,<br>
>>>>> Marc<br>
>>>>><br>
>>>>> On 27 September 2017 at 05:35, Celso Agra <<a href="mailto:celso.agra@gmail.com">celso.agra@gmail.com</a>> wrote:<br>
>>>>>><br>
>>>>>> Hi all,<br>
>>>>>><br>
>>>>>> I got some errors with CORS plugin when I try to use my API with a<br>
>>>>>> contract.<br>
>>>>>><br>
>>>>>> So, I consume my API passing info through header, such as:<br>
>>>>>> Authorization, Content-Type, and X-API-Key.<br>
>>>>>> I'm talking about a javascript application. So, CORS is a problem for<br>
>>>>>> that language.<br>
>>>>>><br>
>>>>>> When I configure my contract to allow Cross-Origin, the error still<br>
>>>>>> there, but if I put my X-API-Key, as a query parameter, the CORS works fine.<br>
>>>>>> Does anyone could help me to understand that?<br>
>>>>>><br>
>>>>>> I'm concerned to pass my contract as a query parameter. It should be<br>
>>>>>> on Header of my Http Request.<br>
>>>>>> Please, help me to understand if it is a behaviour of the application<br>
>>>>>> and how can I solve this without use query param.<br>
>>>>>><br>
>>>>>> Best Regards,<br>
>>>>>><br>
>>>>>> --<br>
>>>>>> ---<br>
>>>>>> Celso Agra<br>
>>>>>><br>
>>>>>> ______________________________<wbr>_________________<br>
>>>>>> Apiman-user mailing list<br>
>>>>>> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/apiman-user</a><br>
>>>>>><br>
>>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> ---<br>
>>>> Celso Agra<br>
>>><br>
>>><br>
>><br>
>><br>
>><br>
>> --<br>
>> ---<br>
>> Celso Agra<br>
>><br>
>> ______________________________<wbr>_________________<br>
>> Apiman-user mailing list<br>
>> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/apiman-user</a><br>
>><br>
><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><span style="font-family:'Times New Roman';font-size:16px">---<br><b>Celso Agra</b></span></div></div></div></div></div>
</div>