The Swagger X-GW-CORS-policy object

The Guidewire Swagger schema currently allows only CORS policies to use external property substitution. You can set any of the properties in a CORS Policy object using the standard external property syntax, with properties under the swagger namespace. For example, the following code defines a complete CORS policy whose values you can substitute at runtime using the external properties provided by the ExternalConfigurationProviderPlugin plugin, with the string "swagger" prepended to each of the property names.
x-gw-cors-policies:  
  account:    
    enabled: ${cors.account.enabled:true}    
    allowOrigins: ${cors.account.allowOrigins:any}    
    allowMethods: ${cors.account.allowMethods:null}    
    allowHeaders: ${cors.account.allowHeaders:null}    
    allowCredentials: ${cors.account.allowCredentials:true}    
    exposeHeaders: ${cors.account.exposeHeaders:null}    
    maxAge: ${cors.account.maxAge:1200}

Required properties

Property Type Description Combination style
allowOrigins string
Specifies which property types PolicyCenter allows for CORS requests. The value must be one of the following:
  • The character *
  • The string "any"
  • A comma-separated list of origins or regular expressions
 First non-null
The string vale of the allowOrigins property must be one of the following values.
String value Means
*
The "*" string indicates the following:
  • PolicyCenter allows all CORS request origins.
  • PolicyCenter returns the Access-Control-Allow-Origin response header as *.
  • Property allowCredentials is set to false.
any
The "any" string indicates the following:
  • PolicyCenter allows all CORS request origins.
  • PolicyCenter sets the Access-Control-Allow-Orign response header to the value of the Origin request header.
Comma-separated list

A comma-separated list provides a list of explicit origin values or regular expressions. PolicyCenter allows CORS requests for origins that match an element in the list, either exactly matching an allowed origin, or, matching a regular expression in the list.

Use the following format for an origin string:
  • scheme://domain[:port]

If the element is an explicit origin, omit the optional port value (and colon) if the port is the default port for the scheme.

PolicyCenter sets the value of the Access-Control-Allow-Origin response header to the value of the Origin request header.

Optional properties

Property Type Description Combination style
enabled boolean

If set to false, PolicyCenter disables CORS for any endpoints using this policy. The property defaults to true if you do not specify a value.

 First non-null
allowHeaders string
A comma-separated list of request headers to allow for CORS request headers:
  • If you do not specify a value, PolicyCenter allows all header types for CORS requests.
  • If you specify a value, PolicyCenter allows the following header types:
    • Headers that the property explicitly specifies
    • Standard CORS safe-listed headers
    • Headers defined by Guidewire such as X-Correlation-ID and GW-Language
 First non-null
allowMethods string
A comma-separated list of methods to allow for CORS requests:

  • If you do not specify a value. PolicyCenter allows all methods.

  • If you specify a value, PolicyCenter permits only the specific methods that you identify.

 First non-null
allowCredentials boolean

If set to true, PolicyCenter adds the Access-Control-Allow-Credentials header to the CORS responses. If you do not specify a value, the default is false.

 First non-null
exposeHeaders string

A comma-separated list of header names to return as the value of the Access-Control-Expose-Header responses. If you do not specify a value (or specify false), PolicyCenter does not add the Access-Control-Expose-Header header to the responses.

 First non-null
maxAge integer
The value to return for the Access-Control-Max-Age header:
  • If you do not specify a value, the default value is 600.
  • If you specify -1, PolicyCenter removes the Access-Control-Max-Age response header entirely.
 First non-null