cors docs

Signed-off-by: huabing zhao <[email protected]>

site/content/en/latest/user/cors.md

@@ -16,7 +16,7 @@ Before proceeding, you should be able to query the example backend using HTTP.
 
 ## Configuration
 
-The below example defines a SecurityPolicy that allows CORS requests from `*.example.com`.
+The below example defines a SecurityPolicy that allows CORS requests from `*.foo.com`.
 
 ```shell
 cat <<EOF | kubectl apply -f -
@@ -31,8 +31,8 @@ spec:
     name: backend
   cors:
     allowOrigins:
-    - type: RegularExpression
-      value: "*.foo.com"
+    - type: Suffix
+      value: ".foo.com"
     allowMethods:
     - GET
     - POST
@@ -60,73 +60,46 @@ Quickstart instructions to set the variable.
 echo $GATEWAY_HOST
 ```
 
-Verify that requests to `/foo` are denied without a JWT:
+Verify that the CORS headers are present in the response of the OPTIONS request from `http://www.foo.com`:
 
 ```shell
-curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/foo
+curl -H "Origin: http://www.foo.com" \
+  -H "Host: www.example.com" \
+  -H "Access-Control-Request-Method: GET" \
+  -X OPTIONS -v -s \
+  http://$GATEWAY_HOST \
+  1> /dev/null
 ```
 
-A `401` HTTP response code should be returned.
-
-Get the JWT used for testing request authentication:
+You should see the below response, indicating that the request from `http://www.foo.com` is allowed:
 
 ```shell
-TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
+< access-control-allow-origin: http://www.foo.com
+< access-control-allow-methods: GET, POST
+< access-control-allow-headers: x-header-1, x-header-2
+< access-control-max-age: 86400
+< access-control-expose-headers: x-header-3, x-header-4
 ```
 
-__Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's
-header.
-
-Verify that a request to `/foo` with a valid JWT is allowed:
-
-```shell
-curl -sS -o /dev/null -H "Host: www.example.com" -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n" http://$GATEWAY_HOST/foo
-```
-
-A `200` HTTP response code should be returned.
-
-Verify that requests to `/bar` are allowed __without__ a JWT:
+If you try to send a request from `http://www.bar.com`, you should see the below response:
 
 ```shell
-curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/bar
+curl -H "Origin: http://www.bar.com" \
+  -H "Host: www.example.com" \
+  -H "Access-Control-Request-Method: GET" \
+  -X OPTIONS -v -s \
+  http://$GATEWAY_HOST \
+  1> /dev/null
 ```
 
-### GRPCRoute
+You won't see any CORS headers in the response, indicating that the request from `http://www.bar.com` was not allowed.
 
-Verify that requests to `yages`service are denied without a JWT:
+Note: CORS specification requires that the browsers to send a preflight request to the server to ask if it's allowed
+to access the limited resource in another domains. The browsers are supposed to follow the response from the server to
+determine whether to send the actual request or not. The CORS filter only response to the preflight requests according to
+its configuration. It won't deny any requests. The browsers are responsible for enforcing the CORS policy.
 
 ```shell
-grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping
-```
-
-You should see the below response
-
-```shell
-Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc = failed to query for service descriptor "yages.Echo": Jwt is missing
-```
-
-Get the JWT used for testing request authentication:
-
-```shell
-TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
-```
-
-__Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's
-header.
-
-Verify that a request to `yages` service with a valid JWT is allowed:
-
-```shell
-grpcurl -plaintext -H "authorization: Bearer $TOKEN" -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping
-```
-
-You should see the below response
-
-```shell
-{
-  "text": "pong"
-}
-```
 
 ## Clean-Up
 
@@ -135,7 +108,7 @@ Follow the steps from the [Quickstart](quickstart.md) guide to uninstall Envoy G
 Delete the SecurityPolicy:
 
 ```shell
-kubectl delete securitypolicy/jwt-example
+kubectl delete securitypolicy/cors-example
 ```
 
 ## Next Steps