Hans Karlsen (talk | contribs) No edit summary |
(Adding page to Category:TOC because it contains a TOC.) |
||
(20 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
=== Definition === | |||
Find a good description for CORS (Cross-Origin Resource Sharing) at this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS | |||
Add a or change web.config on the root | Learn more about CORS here: https://youtube.com/watch?v=Ka8vG5miErk | ||
== Enabling CORS == | |||
To enable CORS on IIS - all sites on the machine: | |||
Add a or change web.config on the root website (Default Web site):<pre><?xml version="1.0" encoding="utf-8"?> | |||
<configuration> | <configuration> | ||
<system.webServer> | <system.webServer> | ||
Line 11: | Line 16: | ||
</cors> | </cors> | ||
</system.webServer> | </system.webServer> | ||
</configuration></pre>To do this on App level - change Web.config in the same way - but beware that web-config is part of installation and will be replaced | </configuration></pre>To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced upon update. | ||
Details from the IIS team on how to configure CORS using XML (like above): | |||
* https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module | |||
* https://www.w3.org/wiki/CORS_Enabled | * https://www.w3.org/wiki/CORS_Enabled | ||
* https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api | * https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api | ||
To test that CORS is active, you can use this online tool, for example, https://www.test-cors.org/. | |||
Just enter the root URL of your site in "Remote URL". | |||
== Contender | == Contender Implementation - Cors With Dynamic Decisions == | ||
To allow dynamic decisions on whom to allow | To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern: | ||
[[File:2020-09-16 17h27 21.png|none|thumb|608x608px]] | [[File:2020-09-16 17h27 21.png|none|thumb|608x608px]] | ||
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean | Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean | ||
This method will be called when you use RestAllowed | This method will be called when you use RestAllowed Viewmodels and the caller's Origin in small caps will be given in the parameter. | ||
This example returns true for all -> | This example returns true for all -> which means that all origins are ok. | ||
A more realistic implementation might be | A more realistic implementation might be: | ||
MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed | MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed | ||
The check is cached in | The check is cached in an internal Dictionary for 10 minutes - changes will be discovered in 10-minute intervals. | ||
If the model pattern is wrong you get an exception in | If the model pattern is wrong, you get an exception in the Turnkey log: | ||
CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex) | CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex) | ||
NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above since middleware will overwrite. | '''NOTE''' - if you have Cors-middleware in IIS or Cassini, you will not see the effect from the above since middleware will overwrite. | ||
If | If Cors headers are applied, this is what we apply: | ||
Response.Headers.Add("Access-Control-Allow-Origin", cleanorg); | Response.Headers.Add("Access-Control-Allow-Origin", cleanorg); | ||
Response.Headers.Add("Access-Control-Allow-Credentials", "true"); | Response.Headers.Add("Access-Control-Allow-Credentials", "true"); | ||
Line 46: | Line 51: | ||
Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET"); | Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET"); | ||
Response.Headers.Add("Vary", "Origin"); | Response.Headers.Add("Vary", "Origin"); | ||
You may also send (not recommended due to open nature of web) credentials in basic authentication scheme: | You may also send (not recommended due to the open nature of the web) the credentials in the basic authentication scheme: | ||
<pre> | <pre> | ||
function myFunction(){ | |||
$.ajax({ | $.ajax({ | ||
type: "get", | type: "get", | ||
url: | url: "http://localhost:5052/TurnkeyRest/Get?command=AutoFormClass1x&id=1!45", | ||
xhrFields: { withCredentials: true }, | xhrFields: { withCredentials: true }, | ||
headers: { | headers: { | ||
"Authorization": "Basic " + btoa(" | "Authorization": "Basic " + btoa("theuser:thepwd") | ||
} | } | ||
}).done(function (data) { | }).done(function (data) { | ||
Line 63: | Line 69: | ||
}); | }); | ||
} | } | ||
</pre> | |||
==== Writing to ViewModels from Javascript ==== | |||
Post data to a ViewModel-driven MDriven Form (i.e., not the best way - but rather injecting data into standard UI) - you can proceed like this: | |||
<pre> | |||
let formData = new FormData(); | |||
formData.append("Filter", "v"); | |||
fetch('https://YOURTURNKEYSITE/TurnkeyRest/Post?command=AutoFormSysUserSeeker', { | |||
headers: new Headers(), | |||
method: "POST", | |||
mode: 'cors', | |||
body: formData | |||
}).then((response) => { | |||
if (response.ok) { | |||
return response.json() | |||
} else { | |||
// | |||
} | |||
}).then((responseJsonData) => { | |||
callback && callback(responseJsonData); | |||
}).catch((error) => { | |||
console.log("getWatchHistory error " + error); | |||
}); | |||
</pre> | </pre> | ||
[[Category:Security]] | |||
[[Category:IIS]] | |||
{{Edited|July|12|2024}} | |||
[[Category:TOC]] |
Latest revision as of 13:46, 26 March 2024
Definition
Find a good description for CORS (Cross-Origin Resource Sharing) at this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Learn more about CORS here: https://youtube.com/watch?v=Ka8vG5miErk
Enabling CORS
To enable CORS on IIS - all sites on the machine:
Add a or change web.config on the root website (Default Web site):
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <cors enabled="true" failUnlistedOrigins="true"> <add origin="*"/> <add origin="https://www.test-cors.org" allowCredentials="true" > <allowHeaders allowAllRequestedHeaders="true"/> </add> </cors> </system.webServer> </configuration>
To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced upon update.
Details from the IIS team on how to configure CORS using XML (like above):
To test that CORS is active, you can use this online tool, for example, https://www.test-cors.org/.
Just enter the root URL of your site in "Remote URL".
Contender Implementation - Cors With Dynamic Decisions
To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern:
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean
This method will be called when you use RestAllowed Viewmodels and the caller's Origin in small caps will be given in the parameter.
This example returns true for all -> which means that all origins are ok.
A more realistic implementation might be:
MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed
The check is cached in an internal Dictionary for 10 minutes - changes will be discovered in 10-minute intervals.
If the model pattern is wrong, you get an exception in the Turnkey log:
CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)
NOTE - if you have Cors-middleware in IIS or Cassini, you will not see the effect from the above since middleware will overwrite.
If Cors headers are applied, this is what we apply:
Response.Headers.Add("Access-Control-Allow-Origin", cleanorg); Response.Headers.Add("Access-Control-Allow-Credentials", "true"); Response.Headers.Add("Access-Control-Allow-Headers", "authorization"); Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET"); Response.Headers.Add("Vary", "Origin");
You may also send (not recommended due to the open nature of the web) the credentials in the basic authentication scheme:
function myFunction(){ $.ajax({ type: "get", url: "http://localhost:5052/TurnkeyRest/Get?command=AutoFormClass1x&id=1!45", xhrFields: { withCredentials: true }, headers: { "Authorization": "Basic " + btoa("theuser:thepwd") } }).done(function (data) { debugger; $('#value1').text(data); }).fail(function (jqXHR, textStatus, errorThrown) { debugger; $('#value1').text(jqXHR.responseText || textStatus); }); }
Writing to ViewModels from Javascript
Post data to a ViewModel-driven MDriven Form (i.e., not the best way - but rather injecting data into standard UI) - you can proceed like this:
let formData = new FormData(); formData.append("Filter", "v"); fetch('https://YOURTURNKEYSITE/TurnkeyRest/Post?command=AutoFormSysUserSeeker', { headers: new Headers(), method: "POST", mode: 'cors', body: formData }).then((response) => { if (response.ok) { return response.json() } else { // } }).then((responseJsonData) => { callback && callback(responseJsonData); }).catch((error) => { console.log("getWatchHistory error " + error); });