Enabling CORS support for Endpoints

CORS (Cross-origin resource sharing) is a standard mechanism that allows XMLHttpRequest (XHR) calls executed in a web page to interact with resources from different origins. Without CORS, the same-origin policy enforced by all browsers would prevent cross-origin requests. For more background information on CORS, see the Mozilla Developer Network (MDN) reference documentation.

The CORS standard requires that web clients issue a CORS preflight OPTIONS to determine if the requested web server supports CORS. If a web server supports CORS request, it will handle the OPTIONS request with proper CORS response headers.

Handle CORS in your backend application

If your backend supports CORS, you can configure ESP or ESPv2 Beta to pass the CORS request to your backend. you can enable pass-through in the OpenAPI spec for your API as shown below:

swagger: "2.0"
host: "my-cool-api.endpoints.my-project-id.cloud.goog"
x-google-endpoints:
- name: "my-cool-api.endpoints.my-project-id.cloud.goog"
  allowCors: True

Handle CORS with ESP or ESPv2 Beta

If your backend does not support CORS, you can configure ESP or ESPv2 Beta to handle CORS requests by specifying CORS startup flags. In this approach, the CORS requests will not pass through to your backend application.

The following CORS startup options are available for ESP and ESPv2 Beta