Setting CORS-Related HTTP Headers with MFCC

The Micro Focus Common Client (MFCC) is used by COBOL Web Service proxies and Enterprise Server CICS Web Interface (CWI) and CICS Web Services (CWS) clients to make HTTP requests for Web SOAP and JSON APIs and other HTTP-based resources.

Because of a Web security mechanism called the same-origin policy, Web browsers and servers use a mechanism called Cross-Origin Resource Sharing (CORS) to authorize HTTP requests. CORS is a set of rules and protocols that HTTP servers use to decide whether to allow a request.

MFCC and the programs that use it are not Web browsers, and so technically none of the requests they make are "cross-origin" — each request is technically an "initial" request, and not made in the context of a previous request. However, servers do not know that and so expect to see some CORS-related information in the request in some cases.

MFCC adds certain request headers by default and can be configured to omit or add headers or use particular values, as described below.

In previous releases

Prior to Enterprise Developer 9.0, MFCC did not add any CORS headers. In Enterprise Developer 9.0, MFCC added the standard Origin header to all requests to satisfy the CORS requirement. This improved interoperability but resulted in problems with a minority of servers.

The CORS headers

MFCC currently supports three HTTP request headers associated with CORS:

Origin
This header identifies the origin of a request. Because every request from MFCC is technically an initial request, MFCC by default sets this to the server which the request is being sent to, except for GET and HEAD requests, which omit it. This follows the use of the Origin header as prescribed by the Fetch specification. See https://fetch.spec.whatwg.org/ for more information.
Referer
Referer is a longstanding standard HTTP header which is set by browsers to indicate the source of the URL for the request. For example, when a user clicks a link on a web page, the request for that resource will typically include a Referer header with the URL for the page containing the link. Since MFCC and its applications are not browsers, there technically is no referrer and so no Referer header should be sent, and MFCC omits this header by default. Some servers might incorrectly require it, so it is configurable.
Note: Due to historical reasons the name of the header is misspelled.
X-Requested-With
This is a non-standard header (like all headers with names beginning with "X-"), but it is universally supported by browsers. HTTP requests made by scripts on a Web page include the header X-Requested-With: XMLHttpRequest. XMLHttpRequest is the name of the JavaScript API for making these requests. Some servers might insist on an X-Requested-With header for a Web API request. MFCC by default will send X-Requested-With: MFCC.

Configuration

MFCC's handling of the CORS headers can be customized by editing the mf-client.dat file in the bin directory of your product installation, or the file specified by the MFC_CONFIG environment variable, if it is set.

Syntax:

[HTTP Headers]
Origin=origin-option
Referer=referer-option
X-Requested-With=x-requested-with-option

Where:

origin-option
This can be one of the following options:
none
Never add an Origin header.
null
Add Origin: null this is a special value, described in the specification, and is for non-GET/HEAD requests.
standard
Add a standard Origin header, the scheme, host, and port part of the URL, and is for non-GET/HEAD requests.
default
Same as standard.
always
Always add a standard Origin header, including to GET/HEAD requests. This is the same as the behavior in 9.0.
literal:value
Always add Origin: value to requests.
referer-option
This can be one of the following options:
none
Do not add a Referer header.
default
Same as none.
origin
Add a Referer header with scheme://host[:port], that is, the same value used for the Origin header.
standard
Add Referer: scheme://host[:port]/path.
literal:value
Add Referer: value.
x-requested-with-option
This can be one of the following options:
none
Do not add an X-Requested-With header.
default
Add X-Requested-With: MFCC.
standard
Add X-Requested-With: XMLHttpRequest.
literal:value
Add X-Requested-With: value.