We have a custom HTTP proxy service that proxies to various microservices and we are trying to replace it with Istio (which we already use for other things). One thing that this custom service does is set CORS-related headers, and it looks like we should be able to move this into Istio as well (to handle CORS entirely in Istio instead of pushing it into each separate microservice).

However, currently the CORS configuration for this domain is that when accessed from some origins, credentials are allowed to be sent, and when accessed from other origins, credentials cannot be sent.

Is it possible to implement this with Istio? It looks to me like for a given CorsPolicy, you can only set allowCredentials to a single bool — it can't vary for the different allowOrigins entries. And each HTTPRoute can only have a single CorsPolicy. Finally, I think this can't just be done by having two HTTPRoutes with identical match and route and different corsPolicy, as only the first matching route will be used.

If I need this semantics for my services' CORS policies, do I really need to either push them into every microservice (which aren't even all in the same language/ecosystem), or put some other proxy in between Istio and the microservices?