-
Notifications
You must be signed in to change notification settings - Fork 1
CORS
Standard
Cross-Origin Resource Sharing allows a browser to make complex HTTP requests to servers located on a different domain (e.g. from the pyrusapps.blackpear.com domain to a fhir endpoint's domain).
When the application makes a request to the FHIR endpoint, a preflight request will be made. This will happen for every call made to the FHIR endpoint, so the chain of requests made requests to a FHIR endpoint that provides Encounters & Allergies would look like:
OPTIONS https://fhir-endpoint.nhs.uk/fhir/metadata
GET https://fhir-endpoint.nhs.uk/fhir/metadata
OPTIONS https://fhir-endpoint.nhs.uk/fhir/Patient?identifier=https:%2F%2Ffhir.nhs.uk%2FId%2Fnhs-number%7C9449303789
GET https://fhir-endpoint.nhs.uk/fhir/Patient?identifier=https:%2F%2Ffhir.nhs.uk%2FId%2Fnhs-number%7C9449303789
OPTIONS https://fhir-endpoint.nhs.uk/fhir/Encounter?patient.identifier=https:%2F%2Ffhir.nhs.uk%2FId%2Fnhs-number%7C9449303789
GET https://fhir-endpoint.nhs.uk/fhir/Encounter?patient.identifier=https:%2F%2Ffhir.nhs.uk%2FId%2Fnhs-number%7C9449303789
OPTIONS https://fhir-endpoint.nhs.uk/fhir/AllergyIntolerance?patient.identifier=https:%2F%2Ffhir.nhs.uk%2FId%2Fnhs-number%7C9449303789
GET https://fhir-endpoint.nhs.uk/fhir/AllergyIntolerance?patient.identifier=https:%2F%2Ffhir.nhs.uk%2FId%2Fnhs-number%7C9449303789
CORS OPTIONS requests are generated and sent by the browser and are not controlled by the underlying scripts on the page, so send a standard set of headers. This means that the OPTIONS requests themselves will carry no Authorization header.
Example headers on a CORS OPTIONS request:
Host: fhir-endpoint.nhs.uk
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Referer: https://pyrusapps.blackpear.com/esp/
Origin: https://pyrusapps.blackpear.com
DNT: 1
Connection: keep-alive
TE: Trailers
The response from a preflight request informs the browser whether the request it is attempting to make is supported by the server. The required response headers for the SIDeR application are: Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers.
The value of this header must match the originating domain or the request, or the wildcard * symbol,
e.g.
Access-Control-Allow-Origin https://pyrusapps.blackpear.com
Since the spec does not support specifying multiple origins in the response header, one strategy to keep CORS requests locked down is to compare the Origin header of the preflight request against a list of known origins, and only add the Access-Control-Allow-Origin header with the origin if a match is found.
The value of this header is a comma-separated list of HTTP request methods should be made accessible to the browser, e.g.
Access-Control-Allow-Methods GET, POST, PUT, DELETE
Since the SSCR model currently only supports GET requests, this alone should be sufficient.
The value of this header is a comma-separated list of headers that the server accepts on an inbound request, e.g.
Access-Control-Allow-Headers Origin, X-Requested-With, Content-Type, Accept, Authorization
This example list is sufficient to allow the SIDeR app to send the required headers to the endpoints.
Below is a full example of a set of response headers on an OPTIONS request that would allow the SIDeR app to interact fully with the endpoint:
HTTP/2 200 OK
date: Fri, 13 Mar 2020 11:27:04 GMT
content-type: text/html; charset=utf-8
content-length: 8
server: nginx/1.14.1
x-powered-by: Express
access-control-allow-origin: https://pyrusapps.blackpear.com
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
access-control-allow-methods: GET,HEAD
When responding to requests using other methods (GET, POST, PUT etc), CORS requires that the Access-Control-Allow-Origin header be present, as detailed above.
Below is a full example of a set of response headers on an OPTIONS request that would allow the SIDeR app to interact fully with the endpoint:
HTTP/2 200 OK
date: Fri, 13 Mar 2020 11:27:04 GMT
content-type: text/html; charset=utf-8
content-length: 8
server: nginx/1.14.1
x-powered-by: Express
access-control-allow-origin: https://pyrusapps.blackpear.com