Menu
I need to access a font file in my application from the server that I also own. It works for all browsers but Firefox, and I know that I need to add a 'Access-Control-Allow-Origin' header.
So in the root of my server there is another application with web.config to which I added:
<httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="*" /> </customHeaders> </httpProtocol> It works fine however, I am not sure what are the security issues here. Is specifying the domain that can access it a good security resolution here? I think I'd rather have this setting only for files in font folder and not the whole application. I saw a .htaccess solution for it which requires placing the file in desired folder, but how can I do it with web.config or IIS setting?
Apache:
<FilesMatch "\.(ttf|otf|eot|woff)$"> <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "http://yourdomain.com" </IfModule> </FilesMatch> Thanks a lot,
329
Enable CORS Using IIS ManagerNavigate to the website you need to edit the response headers for. A dialog box will open. For name enter "Access-Control-Allow-Origin" and for Value enter an asterisk ( * ). Click Ok, you are done.
You need just need your site to send the HTTP header Access-Control-Allow-Origin with the value * to "turn off" CORs (well allow any origin).
You can add @CrossOrigin("http://localhost:8080") to proper method if you want :8080 to allow request there. It's a simple config for one endpoint/controller. You can use variable there too for customization later of course.
Browsers are required to send the Origin header on all cross-domain requests. The docs specifically state that you need to echo this header back in the Access-Control-Allow-Origin header if you are accepting/planning on accepting the request. That's what this Header directive is doing.
Access-Control-Allow-Headers The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. This header is required if the request has an Access-Control-Request-Headers header.
Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7). In Features View, double-click HTTP Response Headers.
To set Access-Control-Allow-Origin header in Apache, just add the following line inside either the <Directory>, <Location>, <Files> or <VirtualHost> sections of your file. Header set Access-Control-Allow-Origin "*" The above line will allow Apache to accept requests from all other domains.
Have you tried to put a web.config in the desired subfolder only? Have a look at "ASP.NET Configuration File Hierarchy and Inheritance".
127
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
