<div dir="ltr"><div>I understand!</div><div><br></div><div>I got this conflict because part of my application is made in angular4. </div><div>I'm using apikey as a query param, but this was a question to me "is this right put apikey as query param?"</div><div><br></div><div>I believe there is no problem leave this as query param, since url is also encrypted.</div><div><br></div><div>Thanks for your attention Eric and Marc!</div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-10-02 15:22 GMT-03:00 Marc Savy <span dir="ltr"><<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Correction:<br>
<span class=""><br>
I think that we can provide full functionality in all<br>
circumstances.<br>
<br>
</span>I think that we *cannot* provide full functionality in all<br>
circumstances.<br>
<div class="HOEnZb"><div class="h5"><br>
On 2 October 2017 at 19:21, Marc Savy <<a href="mailto:marc.savy@redhat.com">marc.savy@redhat.com</a>> wrote:<br>
> I seem to recall another annoying knot: as you can't set any custom<br>
> headers on a preflight request itself in most browsers (any?),<br>
> reaching the correct CORS policy is impossible when putting the<br>
> X-API-Key in the header. This probably explains why people like Google<br>
> require it to be a query parameter.<br>
><br>
> Therefore, unless we encoded that information in the URL itself (seems<br>
> a bad idea) I think that we can provide full functionality in all<br>
> circumstances.<br>
><br>
> Unless someone else thinks I'm wrong? Happy to hear alternative theories.<br>
><br>
> On 2 October 2017 at 19:07, Celso Agra <<a href="mailto:celso.agra@gmail.com">celso.agra@gmail.com</a>> wrote:<br>
>> I attached an image. Also I added different kinds of headers, just to pass<br>
>> in case of "Camel Case" validation<br>
>> Unfortunately the CORS validation still occurs when I use the plugin...<br>
>><br>
>> 2017-10-02 15:00 GMT-03:00 Marc Savy <<a href="mailto:marc.savy@redhat.com">marc.savy@redhat.com</a>>:<br>
>>><br>
>>> This is from memory, but no, I don't think so: the API key is needed<br>
>>> before the correct policy chain (including CORS policy) can be<br>
>>> resolved.<br>
>>><br>
>>> The CORS protocol, when using a custom header, requires a preflight<br>
>>> request, however the preflight does not allow any custom headers to be<br>
>>> set, so we can't currently resolve the correct policy chain.<br>
>>><br>
>>> We could think about specifically making X-API-Key available for<br>
>>> preflight as I think that should always be okay, but I'll have to<br>
>>> investigate whether there are any downsides.<br>
>>><br>
>>> Of course, we could continue saying to use a query param in that scenario!<br>
>>><br>
>>> On 2 October 2017 at 18:37, Eric Wittmann <<a href="mailto:eric.wittmann@redhat.com">eric.wittmann@redhat.com</a>><br>
>>> wrote:<br>
>>> > Just to be clear - if X-API-Key is added as an allowed CORS header in<br>
>>> > the<br>
>>> > CORS plugin configuration, does that solve the issue?<br>
>>> ><br>
>>> > -Eric<br>
>>> ><br>
>>> ><br>
>>> > On Mon, Oct 2, 2017 at 1:17 PM, Celso Agra <<a href="mailto:celso.agra@gmail.com">celso.agra@gmail.com</a>> wrote:<br>
>>> >><br>
>>> >> So, there is no prob to pass as query param!<br>
>>> >><br>
>>> >> Thanks Marc<br>
>>> >><br>
>>> >> Best Regards,<br>
>>> >><br>
>>> >> Celso Agra<br>
>>> >><br>
>>> >> 2017-10-02 13:49 GMT-03:00 Marc Savy <<a href="mailto:marc.savy@redhat.com">marc.savy@redhat.com</a>>:<br>
>>> >>><br>
>>> >>> Hi Celso,<br>
>>> >>><br>
>>> >>> The query string is encrypted with SSL/TLS.<br>
>>> >>><br>
>>> >>> Regards,<br>
>>> >>> Marc<br>
>>> >>><br>
>>> >>> On 2 October 2017 at 17:40, Celso Agra <<a href="mailto:celso.agra@gmail.com">celso.agra@gmail.com</a>> wrote:<br>
>>> >>>><br>
>>> >>>> Yeah! It is! My concern is because I'm passing the apiKey as a query<br>
>>> >>>> param.<br>
>>> >>>><br>
>>> >>>> I don't know if requests works like this in ssl requests, but I<br>
>>> >>>> believe<br>
>>> >>>> that query params can be viewed if you have a sniffer, unlike header<br>
>>> >>>> params.<br>
>>> >>>><br>
>>> >>>> So, I'm probably have to allow X-API-Key header in Apiman requests.<br>
>>> >>>> Would be possible to add this feature in a plugin or maybe in the<br>
>>> >>>> Apiman?<br>
>>> >>>> I'll take a look in some classes to know how to do that.<br>
>>> >>>><br>
>>> >>>> I'd like to know if it is a feature that will contribute with the<br>
>>> >>>> project.<br>
>>> >>>><br>
>>> >>>> Thanks for your answer Marc.<br>
>>> >>>><br>
>>> >>>> Best Regards,<br>
>>> >>>><br>
>>> >>>> Celso Agra<br>
>>> >>>><br>
>>> >>>><br>
>>> >>>> 2017-10-02 9:18 GMT-03:00 Marc Savy <<a href="mailto:marc.savy@redhat.com">marc.savy@redhat.com</a>>:<br>
>>> >>>>><br>
>>> >>>>> If I understand your questions correctly: by default CORS does not<br>
>>> >>>>> allow any custom headers to be sent in the request. This means that<br>
>>> >>>>> Apiman<br>
>>> >>>>> does not receive the X-API-Key header and necessarily can't figure<br>
>>> >>>>> out how<br>
>>> >>>>> to route the request. The same CORS restriction does not exist with<br>
>>> >>>>> query<br>
>>> >>>>> parameters so if you provide it with the query param you'll be okay.<br>
>>> >>>>><br>
>>> >>>>> Perhaps a (partial) solution to some of these kinds of CORS issues<br>
>>> >>>>> is<br>
>>> >>>>> for Apiman to always indicate that the X-API-Key header is allowed.<br>
>>> >>>>><br>
>>> >>>>> Regards,<br>
>>> >>>>> Marc<br>
>>> >>>>><br>
>>> >>>>> On 27 September 2017 at 05:35, Celso Agra <<a href="mailto:celso.agra@gmail.com">celso.agra@gmail.com</a>><br>
>>> >>>>> wrote:<br>
>>> >>>>>><br>
>>> >>>>>> Hi all,<br>
>>> >>>>>><br>
>>> >>>>>> I got some errors with CORS plugin when I try to use my API with a<br>
>>> >>>>>> contract.<br>
>>> >>>>>><br>
>>> >>>>>> So, I consume my API passing info through header, such as:<br>
>>> >>>>>> Authorization, Content-Type, and X-API-Key.<br>
>>> >>>>>> I'm talking about a javascript application. So, CORS is a problem<br>
>>> >>>>>> for<br>
>>> >>>>>> that language.<br>
>>> >>>>>><br>
>>> >>>>>> When I configure my contract to allow Cross-Origin, the error still<br>
>>> >>>>>> there, but if I put my X-API-Key, as a query parameter, the CORS<br>
>>> >>>>>> works fine.<br>
>>> >>>>>> Does anyone could help me to understand that?<br>
>>> >>>>>><br>
>>> >>>>>> I'm concerned to pass my contract as a query parameter. It should<br>
>>> >>>>>> be<br>
>>> >>>>>> on Header of my Http Request.<br>
>>> >>>>>> Please, help me to understand if it is a behaviour of the<br>
>>> >>>>>> application<br>
>>> >>>>>> and how can I solve this without use query param.<br>
>>> >>>>>><br>
>>> >>>>>> Best Regards,<br>
>>> >>>>>><br>
>>> >>>>>> --<br>
>>> >>>>>> ---<br>
>>> >>>>>> Celso Agra<br>
>>> >>>>>><br>
>>> >>>>>> ______________________________<wbr>_________________<br>
>>> >>>>>> Apiman-user mailing list<br>
>>> >>>>>> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
>>> >>>>>> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/apiman-user</a><br>
>>> >>>>>><br>
>>> >>>>><br>
>>> >>>><br>
>>> >>>><br>
>>> >>>><br>
>>> >>>> --<br>
>>> >>>> ---<br>
>>> >>>> Celso Agra<br>
>>> >>><br>
>>> >>><br>
>>> >><br>
>>> >><br>
>>> >><br>
>>> >> --<br>
>>> >> ---<br>
>>> >> Celso Agra<br>
>>> >><br>
>>> >> ______________________________<wbr>_________________<br>
>>> >> Apiman-user mailing list<br>
>>> >> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
>>> >> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/apiman-user</a><br>
>>> >><br>
>>> ><br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>> ---<br>
>> Celso Agra<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><span style="font-family:'Times New Roman';font-size:16px">---<br><b>Celso Agra</b></span></div></div></div></div></div>
</div>