Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

subdomain CORS in webApi 2

Tags:

cors

asp.net

asp.net-web-api

I am using WebApi like I've learnt from http://t.co/mt9wIL8gLA

It all works well if I know exactly the perfect origin URI of my client's requests. Too bad I am writing an enterprise-wide API, so my request to, say http://apps.contoso.com/myApp/api/foobar

may come from apps all over my domain, say:

http://apps.contoso.com/CRMApp

http://apps.contoso.com/XYZ

http://www.contoso.com/LegacyApp

http://test.contoso.com/newApps/WowApp ... and all the new apps my enterprise builds.

What is the best way to approach this? using Origins="*" is cheesy, adding origins to my WS source and redeploy is cheesier.

My current solution is writing a custom CorsPolicyAttribute like in http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api#cors-policy-providers

and read the allowed origins from appsettings in web.config. A LITTLE better could be, inside the custom attribute, checking if the request Origin: header is from contoso.com, maybe with a regexp, and add it to allowed origins.

I am wondering if there is a better, more standard, way.

like image 891
pomarc Avatar asked Mar 19 '14 16:03

pomarc

People also ask

Does CORS apply to subdomain?

Description: Cross-origin resource sharing: all subdomains trusted. An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy.

Should I enable CORS on my API?

Cross-origin resource sharing (CORS) is a browser security feature that restricts cross-origin HTTP requests that are initiated from scripts running in the browser. If your REST API's resources receive non-simple cross-origin HTTP requests, you need to enable CORS support.

What is CORS in Web API .NET core?

This article shows how to enable CORS in an ASP.NET Core app. Browser security prevents a web page from making requests to a different domain than the one that served the web page. This restriction is called the same-origin policy.

1 Answers

Use a DynamicPolicyProviderFactory. That's what I use...I even posted a question about it the other day that kind of shows how to add the allowed domains to the web.config file.

like image 104
Mike_G Avatar answered Sep 30 '22 22:09

Mike_G
Sign in to Comment

Related questions

IIS 7.5, ASP.NET, impersonation, and access to C:\Windows\Temp
JSON array type resolution in ASP.Net webservices
How to determine if a CultureInfo instance supports Latin characters
Could not render the url. Could not get image from url.Navigation timeout
How do I handle user arrival-at-page via browser-back-button?
What are the drawbacks to setting Page.ClientTarget = "uplevel" for all pages?
FormsAuthentication.SignOut Not Working With Custom-Domain Cookie
How to style a Widget in Orchard?
Arabic Characters in URL
Google OpenId: No OpenID endpoint found (intermittent)
How to understand a security warning in google chrome for a static resource served by Asp.net
415 Unsupported Media Type Calling WCF Service from $.ajax
An attempt was made to set a report parameter 'Name' that is not defined in this report?
How can I authenticate to an ASP.NET WebAPI that is using Forms Authentication From a C# Console Application?
Set cookie from SignalR hub on the server
ASP No such interface supported error when creating object
ASP.NET Requests and .NET 4.5 - Strange Behavior
Ambiguous Reference Error
image in updatepanel causes whole page refresh
Sitemap doesn't show as xml

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!