CORS テスト用メモ
HTTP リクエストの Origin ヘッダの内容をレスポンスの Access-Control-Allow-Origin に鸚鵡返し。
Transoform Rules を使う
- リクエストに Origin ヘッダがあると
- レスポンスに Access-Control-Allow-Origin つける
- 中身はコピる
ダッシュボード
API
$ rsid=`curl -s -X GET -H "Content-Type: application/json" -H "X-Auth-Email: $EMAIL" -H "X-Auth-Key: $API_KEY" "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" |jq -r '.result[] |select(.phase == "http_response_headers_transform")|.id'`;curl -s -X GET -H "Content-Type: application/json" -H "X-Auth-Email: $EMAIL" -H "X-Auth-Key: $API_KEY" "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$rsid"|jq '.result.rules[]|select (.description|contains("allow"))'
{
"id": "fd4a47a184c24ee29faa64b916bd589f",
"version": "7",
"action": "rewrite",
"expression": "any(lower(http.request.headers.names[*])[*] matches \"^origin$\")\n",
"description": "allow origin (cross origin resource sharing)",
"last_updated": "2023-08-09T01:03:15.029903Z",
"ref": "fd4a47a184c24ee29faa64b916bd589f",
"enabled": true,
"action_parameters": {
"headers": {
"Access-Control-Allow-Origin": {
"operation": "set",
"expression": "http.request.headers[\"origin\"][0]"
}
}
}
}
テスト
$ curl https://somehost/ -H "Origin: https://www.example.com" -svo /dev/null 2>&1 |grep -i origin
* h2 [origin: https://www.example.com]
> Origin: https://www.example.com
< access-control-allow-origin: https://www.example.com