Re: [Apiman-user] How to solve the conflict about CORS and the X-API-Key in header?

So, there is no prob to pass as query param! Thanks Marc Best Regards, Celso Agra 2017-10-02 13:49 GMT-03:00 Marc Savy <marc.savy(a)redhat.com&gt;: > Hi Celso, > > The query string is encrypted with SSL/TLS. > > Regards, > Marc > > On 2 October 2017 at 17:40, Celso Agra <celso.agra(a)gmail.com&gt; wrote: > >> Yeah! It is! My concern is because I'm passing the apiKey as a query >> param. >> >> I don't know if requests works like this in ssl requests, but I believe >> that query params can be viewed if you have a sniffer, unlike header params. >> >> So, I'm probably have to allow X-API-Key header in Apiman requests. >> Would be possible to add this feature in a plugin or maybe in the Apiman? >> I'll take a look in some classes to know how to do that. >> >> I'd like to know if it is a feature that will contribute with the >> project. >> >> Thanks for your answer Marc. >> >> Best Regards, >> >> Celso Agra >> >> >> 2017-10-02 9:18 GMT-03:00 Marc Savy <marc.savy(a)redhat.com&gt;: >> >>> If I understand your questions correctly: by default CORS does not >>> allow any custom headers to be sent in the request. This means that Apiman >>> does not receive the X-API-Key header and necessarily can't figure out how >>> to route the request. The same CORS restriction does not exist with query >>> parameters so if you provide it with the query param you'll be okay. >>> >>> Perhaps a (partial) solution to some of these kinds of CORS issues is >>> for Apiman to always indicate that the X-API-Key header is allowed. >>> >>> Regards, >>> Marc >>> >>> On 27 September 2017 at 05:35, Celso Agra <celso.agra(a)gmail.com&gt; wrote: >>> >>>> Hi all, >>>> >>>> I got some errors with CORS plugin when I try to use my API with a >>>> contract. >>>> >>>> So, I consume my API passing info through header, such as: >>>> Authorization, Content-Type, and X-API-Key. >>>> I'm talking about a javascript application. So, CORS is a problem for >>>> that language. >>>> >>>> When I configure my contract to allow Cross-Origin, the error still >>>> there, but if I put my X-API-Key, as a query parameter, the CORS works fine. >>>> Does anyone could help me to understand that? >>>> >>>> I'm concerned to pass my contract as a query parameter. It should be >>>> on Header of my Http Request. >>>> Please, help me to understand if it is a behaviour of the application >>>> and how can I solve this without use query param. >>>> >>>> Best Regards, >>>> >>>> -- >>>> --- >>>> *Celso Agra* >>>> >>>> _______________________________________________ >>>> Apiman-user mailing list >>>> Apiman-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/apiman-user >>>> >>>> >>> >> >> >> -- >> --- >> *Celso Agra* >> > > -- --- *Celso Agra* _______________________________________________ Apiman-user mailing list Apiman-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/apiman-user