Access-control-allow-origin with multiple domains

Question

In my web config I would like to specify more than one domain for the access-control-allow-origin directive  I don t want to use    I ve tried this syntax      lt add name  Access-Control-Allow-Origin  value  http   localhost 1506  http   localhost 1502    gt    this one    lt add name  Access-Control-Allow-Origin  value  http   localhost 1506 http   localhost 1502    gt    this one   lt add name  Access-Control-Allow-Origin  value  http   localhost 1506  http   localhost 1502    gt    and this one   lt add name  Access-Control-Allow-Origin  value  http   localhost 1506    gt   lt add name  Access-Control-Allow-Origin  value  http   localhost 1502    gt    but none of them work  What is the correct syntax

User · Answer

Try this   lt add name  quot Access-Control-Allow-Origin quot  value  quot   URL1   URL2       quot    gt

User · Answer

You can add this code to your asp net webapi project   in file Global asax      protected void Application BeginRequest         string origin   Request Headers Get  Origin        if  Request HttpMethod     OPTIONS                 Response AddHeader  Access-Control-Allow-Origin   origin           Response AddHeader  Access-Control-Allow-Headers                 Response AddHeader  Access-Control-Allow-Methods    GET POST PUT OPTIONS DELETE            Response StatusCode   200          Response End              else               Response AddHeader  Access-Control-Allow-Origin   origin           Response AddHeader  Access-Control-Allow-Headers                 Response AddHeader  Access-Control-Allow-Methods    GET POST PUT OPTIONS DELETE

User · Answer

You can use owin middleware to define cors policy in which you can define multiple cors origins  return new CorsOptions                       PolicyProvider   new CorsPolicyProvider                               PolicyResolver   context   gt                                        var policy   new CorsPolicy                                                 AllowAnyOrigin   false                          AllowAnyMethod   true                          AllowAnyHeader   true                          SupportsCredentials   true                                            policy Origins Add  http   foo com                        policy Origins Add  http   bar com                        return Task FromResult policy

User · Answer

For IIS 7 5  and Rewrite 2 0 you can use    lt system webServer gt      lt httpProtocol gt        lt customHeaders gt            lt add name  Access-Control-Allow-Headers  value  Origin  X-Requested-With  Content-Type  Accept    gt            lt add name  Access-Control-Allow-Methods  value  POST GET OPTIONS PUT DELETE    gt        lt  customHeaders gt      lt  httpProtocol gt           lt rewrite gt                           lt outboundRules gt                   lt clear   gt                                   lt rule name  AddCrossDomainHeader  gt                       lt match serverVariable  RESPONSE Access Control Allow Origin  pattern        gt                       lt conditions logicalGrouping  MatchAll  trackAllCaptures  true  gt                           lt add input   HTTP ORIGIN   pattern   http s             domain1  com        domain2  com        domain3  com      gt                       lt  conditions gt                       lt action type  Rewrite  value   C 0     gt                   lt  rule gt                          lt  outboundRules gt           lt  rewrite gt    lt  system webServer gt    Explaining the server variable RESPONSE Access Control Allow Origin portion  In Rewrite you can use any string after RESPONSE  and it will create the Response Header using the rest of the word as the header name  in this case Access-Control-Allow-Origin   Rewrite uses underscores     instead of dashes  -   rewrite converts them to dashes   Explaining the server variable HTTP ORIGIN   Similarly  in Rewrite you can grab any Request Header using HTTP  as the prefix  Same rules with the dashes  use underscores     instead of dashes  -

User · Answer

In Web API this attribute can be added using Microsoft AspNet WebApi Cors as detailed at http   www asp net web-api overview security enabling-cross-origin-requests-in-web-api  In MVC you could create a filter attribute to do this work for you    AttributeUsage AttributeTargets Class   AttributeTargets Method                  AllowMultiple   true  Inherited   true   public class EnableCorsAttribute   FilterAttribute  IActionFilter       private const string IncomingOriginHeader    Origin       private const string OutgoingOriginHeader    Access-Control-Allow-Origin       private const string OutgoingMethodsHeader    Access-Control-Allow-Methods       private const string OutgoingAgeHeader    Access-Control-Max-Age        public void OnActionExecuted ActionExecutedContext filterContext               Do nothing            public void OnActionExecuting ActionExecutingContext filterContext                var isLocal   filterContext HttpContext Request IsLocal          var originHeader                 filterContext HttpContext Request Headers Get IncomingOriginHeader           var response   filterContext HttpContext Response           if   String IsNullOrWhiteSpace originHeader   amp  amp               isLocal    IsAllowedOrigin originHeader                  response AddHeader OutgoingOriginHeader  originHeader               response AddHeader OutgoingMethodsHeader   GET POST OPTIONS                response AddHeader OutgoingAgeHeader   3600                         protected bool IsAllowedOrigin string origin                  replace with your own logic to check the origin header         return true            Then either enable it for specific actions   controllers    EnableCors  public class SecurityController   Controller           snip       EnableCors      public ActionResult SignIn Guid key  string email  string password      Or add it for all controllers in Global asax cs  protected void Application Start             Snip  any existing code         Register global filter     GlobalFilters Filters Add new EnableCorsAttribute         RegisterGlobalFilters GlobalFilters Filters            snip  existing code

User · Answer

You only need    add a Global asax to your project  delete   lt add name  Access-Control-Allow-Origin  value       gt  from your web config  afterward  add this in the Application BeginRequest method of Global asax   HttpContext Current Response AddHeader  Access-Control-Allow-Origin         if  HttpContext Current Request HttpMethod     OPTIONS         HttpContext Current Response AddHeader  Access-Control-Allow-Methods    POST GET OPTIONS PUT DELETE        HttpContext Current Response AddHeader  Access-Control-Allow-Headers    Content-Type  Authorization  Accept        HttpContext Current Response End         I hope this help  that work for me

User · Answer

Look into the Thinktecture IdentityModel library -- it has full CORS support   http   brockallen com 2012 06 28 cors-support-in-webapi-mvc-and-iis-with-thinktecture-identitymodel   And it can dynamically emit the ACA-Origin you want

User · Answer

I managed to solve this in the Request handling code following advice from  monsur     string origin   WebOperationContext Current IncomingRequest Headers Get  Origin     WebOperationContext Current OutgoingResponse Headers Add  Access-Control-Allow-Origin   origin

User · Answer

For IIS 7 5  you can use IIS CORS Module  https   www iis net downloads microsoft iis-cors-module  Your web config should be something like this    lt  xml version  1 0  encoding  UTF-8   gt   lt configuration gt       lt system webServer gt           lt cors enabled  true  failUnlistedOrigins  true  gt               lt add origin  http   localhost 1506  gt                   lt allowMethods gt                                           lt add method  GET    gt                       lt add method  HEAD    gt                       lt add method  POST    gt                       lt add method  PUT    gt                        lt add method  DELETE    gt                    lt  allowMethods gt               lt  add gt               lt add origin  http   localhost 1502  gt                   lt allowMethods gt                       lt add method  GET    gt                       lt add method  HEAD    gt                       lt add method  POST    gt                       lt add method  PUT    gt                        lt add method  DELETE    gt                    lt  allowMethods gt               lt  add gt           lt  cors gt       lt  system webServer gt   lt  configuration gt    You can find the configuration reference in here  https   docs microsoft com en-us iis extensions cors-module cors-module-configuration-reference

User · Answer

After reading every answer and trying them  none of them helped me  What I found while searching elsewhere is that you can create a custom attribute that you can then add to your controller  It overwrites the EnableCors ones and add the whitelisted domains in it   This solution is working well because it lets you have the whitelisted domains in the webconfig  appsettings  instead of harcoding them in the EnableCors attribute on your controller     AttributeUsage AttributeTargets Class   AttributeTargets Method  AllowMultiple   false   public class EnableCorsByAppSettingAttribute   Attribute  ICorsPolicyProvider       const string defaultKey    whiteListDomainCors       private readonly string rawOrigins      private CorsPolicy corsPolicy            lt summary gt          By default uses  cors AllowedOrigins  AppSetting key          lt  summary gt      public EnableCorsByAppSettingAttribute             this defaultKey     Use default AppSetting key                       lt summary gt          Enables Cross Origin          lt  summary gt           lt param name  appSettingKey  gt AppSetting key that defines valid origins lt  param gt      public EnableCorsByAppSettingAttribute string appSettingKey                   Collect comma separated origins         this rawOrigins   AppSettings whiteListDomainCors          this BuildCorsPolicy                    lt summary gt          Build Cors policy          lt  summary gt      private void BuildCorsPolicy                 bool allowAnyHeader   String IsNullOrEmpty this Headers     this Headers                 bool allowAnyMethod   String IsNullOrEmpty this Methods     this Methods                  this corsPolicy   new CorsPolicy                       AllowAnyHeader   allowAnyHeader              AllowAnyMethod   allowAnyMethod                         Add origins from app setting value         this corsPolicy Origins AddCommaSeperatedValues this rawOrigins           this corsPolicy Headers AddCommaSeperatedValues this Headers           this corsPolicy Methods AddCommaSeperatedValues this Methods              public string Headers   get  set        public string Methods   get  set         public Task lt CorsPolicy gt  GetCorsPolicyAsync HttpRequestMessage request                                                 CancellationToken cancellationToken                return Task FromResult this corsPolicy                internal static class CollectionExtensions       public static void AddCommaSeperatedValues this ICollection lt string gt  current  string raw                if  current    null                        return                     var paths   new List lt string gt  AppSettings whiteListDomainCors Split new char                      foreach  var value in paths                        current Add value                       I found this guide online and it worked like a charm    http   jnye co Posts 2032 dynamic-cors-origins-from-appsettings-using-web-api-2-2-cross-origin-support  I thought i d drop that here for anyone in need

User · Answer

There can only be one Access-Control-Allow-Origin response header  and that header can only have one origin value  Therefore  in order to get this to work  you need to have some code that    Grabs the Origin request header  Checks if the origin value is one of the whitelisted values  If it is valid  sets the Access-Control-Allow-Origin header with that value    I don t think there s any way to do this solely through the web config   if  ValidateRequest          Response Headers Remove  Access-Control-Allow-Origin        Response AddHeader  Access-Control-Allow-Origin   Request UrlReferrer GetLeftPart UriPartial Authority         Response Headers Remove  Access-Control-Allow-Credentials        Response AddHeader  Access-Control-Allow-Credentials    true         Response Headers Remove  Access-Control-Allow-Methods        Response AddHeader  Access-Control-Allow-Methods    GET  POST  PUT  DELETE  OPTIONS

[asp.net] Access-control-allow-origin with multiple domains

Examples related to asp.net

Examples related to iis

Examples related to cors

Examples related to web-config