Menu
I'm trying to enable CORS for certain domains within my .Net Web API application, and am able to do this on Application Start via this code..
public static void Register(HttpConfiguration config)
{
//below comma separated string is built from database
var domains = "http://www.myfirstdomain.com,http://www.myseconddomain.co.uk .... about 130 domains more..";
config.EnableCors(new EnableCorsAttribute(domains, "*", "*"));
However if new domains are added while the application is live, these will not be allowed to post cross domain until the app pool is recycled and this list is built up again.
Is there any way I can update this list during the lifetime of my application? I know I can periodically recycle the app pool but this will cause delays in some requests that I could ideally do without.
I know that I can enable this on the controller method, ie..
[EnableCors("http://domain1.com,http://domain2.com", "*", "*")]
public HttpResponseMessage PostAsync([FromBody] MyRequest myRequest)
{
However again the comma separated parameter has to be declared as a constant, and therefore cannot be dynamic.
Am I missing something blatantly obvious or can anyone think of a decent way of doing this?
EDIT
Here is my attempt at writing my own custom EnableCors attribute..
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false)]
public class EnableCorsByDomainAttribute : Attribute, ICorsPolicyProvider
{
private readonly CorsPolicy _policy;
public EnableCorsByDomainAttribute()
{
_policy = new CorsPolicy
{
AllowAnyMethod = true,
AllowAnyHeader = true
};
var originsString = "http://www.test1.com,http://www.test2.com";
if (!String.IsNullOrEmpty(originsString))
{
foreach (var origin in originsString.Split(','))
{
_policy.Origins.Add(origin);
}
}
}
public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
return Task.FromResult(_policy);
}
}
I've then decorated the controller method with
[EnableCorsByDomain]
716
To support CORS, therefore, a REST API resource needs to implement an OPTIONS method that can respond to the OPTIONS preflight request with at least the following response headers mandated by the Fetch standard: Access-Control-Allow-Methods. Access-Control-Allow-Headers. Access-Control-Allow-Origin.
The crossorigin attribute, valid on the <audio> , <img> , <link> , <script> , and <video> elements, provides support for CORS, defining how the element handles cross-origin requests, thereby enabling the configuration of the CORS requests for the element's fetched data.
Yes, Web API CORS provides an extensibility point for this kind of scenario. You can take a look at the section called 'Implementing a custom ICorsPolicyProvider' in the following Web API functional spec document for more details.
http://aspnetwebstack.codeplex.com/wikipage?title=CORS%20support%20for%20ASP.NET%20Web%20API&referringTitle=Specs
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
