How to enable CORS for a single website for my REST API in AppEngine

Question

I have an API in Appengine in a flexible environment. It does not support CORS. I believe it is because it doesn't support it by default

After ESP 1.0 is released on January 2, 2017, all Flexible Environment API deployments will feature the new version of ESP and will automatically disallow CORS requests by default. App Engine applications are automatically redeployed every 7 days, so sometime in the 7 days following the release of ESP 1.0, your app will be restarted with the latest version and will automatically be protected from unintended cross origin sharing.

If you are using Flexible Environments and would like to continue to allow CORS requests, you must add the "x-google-endpoints" snippet above to your API configuration (aka OpenAPI specification aka Swagger file). If you are relying on CORS, we recommend that you add the snippet as soon as possible and redeploy your service using the following command to avoid service interruption. Then you will not see changed behavior when the new version of ESP rolls out.

This page tells me to set allowCors = True and implement support in my backend code (do they mean my main.go?) https://cloud.google.com/endpoints/docs/openapi/openapi-extensions

This page tell me to add some code to my ESP, but I'm not sure where it means - in my openapi swagger file? https://cloud.google.com/endpoints/docs/openapi/specify-proxy-startup-options#adding_cors_support_to_esp

This page https://enable-cors.org/server_appengine.html tells me to add this code, I assume to my main.go, but what does it mean?

func doGet(w http.ResponseWriter, r *http.Request) {
  w.Header().Add("Access-Control-Allow-Origin", "*")
  w.Header().Add("Content-Type", "text/csv")
  fmt.Fprintf(w, csvData)
}

I am struggling to find straight forward steps to enable CORS support for one website on my AppEngine API. Can someone support please?

Thanks :)

Answer 1

The most straightforward way to achieve it is to add the x-google-extension at the top level of your OpenAPI document:

swagger: "2.0"
host: "my-cool-api.endpoints.my-project-id.cloud.goog"
x-google-endpoints:
- name: "my-cool-api.endpoints.my-project-id.cloud.goog"
  allowCors: True

There's more information regarding that in the first link you found.

Regarding your question:

This page https://enable-cors.org/server_appengine.html tells me to add this code, I assume to my main.go, but what does it mean?

func doGet(w http.ResponseWriter, r *http.Request) {
  w.Header().Add("Access-Control-Allow-Origin", "*")
  w.Header().Add("Content-Type", "text/csv")
  fmt.Fprintf(w, csvData)
  }

That piece of code what will do is add the CORS headers whenever a GET request is received.

EDIT:

Just to clarify, enabling CORS in Cloud Endpoints will only allow the request to hit your backend, but you have to handle the access restriction in your backend code.

As you want to restrict the CORS to only one webpage, the code will then look like:

func doGet(w http.ResponseWriter, r *http.Request) {
      w.Header().Add("Access-Control-Allow-Origin", "https://www.example.com")
      w.Header().Add("Content-Type", "text/csv")
      fmt.Fprintf(w, csvData)
      }

With this example, only the website https://www.example.com will be allowed.