Google Cloud Professional Cloud Developer — Question 108

You have an application that uses an HTTP Cloud Function to process user activity from both desktop browser and mobile application clients. This function will serve as the endpoint for all metric submissions using HTTP POST.
Due to legacy restrictions, the function must be mapped to a domain that is separate from the domain requested by users on web or mobile sessions. The domain for the Cloud Function is https://fn.example.com. Desktop and mobile clients use the domain https://www.example.com. You need to add a header to the function's
HTTP response so that only those browser and mobile sessions can submit metrics to the Cloud Function. Which response header should you add?

Answer options

• A. Access-Control-Allow-Origin: *
• B. Access-Control-Allow-Origin: https://*.example.com
• C. Access-Control-Allow-Origin: https://fn.example.com
• D. Access-Control-Allow-origin: https://www.example.com

Correct answer: D

Explanation

The correct answer, D, allows requests from the specific domain of the clients (https://www.example.com), ensuring that only these sessions can submit metrics. Option A allows all origins, which does not restrict access as required. Option B allows any subdomain of example.com, which is broader than necessary. Option C restricts access to the Cloud Function's domain, which does not meet the requirement of allowing only the user client domains.