Cors
No edit summary
(Adding page to Category:TOC because it contains a TOC.)
 
(16 intermediate revisions by 3 users not shown)
Line 1: Line 1:
To enable cors on IIS - all sites on the machine:
=== Definition ===
Find a good description for CORS (Cross-Origin Resource Sharing) at this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS


Add a or change web.config on the root web site (Default Web site)<pre><?xml version="1.0" encoding="utf-8"?>   
Learn more about CORS here: https://youtube.com/watch?v=Ka8vG5miErk
== Enabling CORS ==
To enable CORS on IIS - all sites on the machine:
 
Add a or change web.config on the root website (Default Web site):<pre><?xml version="1.0" encoding="utf-8"?>   
<configuration>     
<configuration>     
   <system.webServer>       
   <system.webServer>       
Line 11: Line 16:
     </cors>
     </cors>
   </system.webServer>   
   </system.webServer>   
</configuration></pre>To do this on App level - change Web.config in the same way - but beware that web-config is part of installation and will be replaced on update.
</configuration></pre>To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced upon update.


Good links:
Details from the IIS team on how to configure CORS using XML (like above):
* Details from the IIS team on details on how to configure CORS using XML (like above): https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module  
* https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module  


* https://www.w3.org/wiki/CORS_Enabled
* https://www.w3.org/wiki/CORS_Enabled


* https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api
* https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api
Testing that CORS is active, you can use for example this online tool. Just enter the root URL of your site in "Remote URL"
To test that CORS is active, you can use this online tool, for example, https://www.test-cors.org/.


https://www.test-cors.org/
Just enter the root URL of your site in "Remote URL".


== Contender implementation - Cors with dynamic decisions ==
== Contender Implementation - Cors With Dynamic Decisions ==
To allow dynamic decisions on whom to allow cors entry you can now implement this model pattern:
To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern:
[[File:2020-09-16 17h27 21.png|none|thumb|608x608px]]
[[File:2020-09-16 17h27 21.png|none|thumb|608x608px]]
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean


This method will be called when you use RestAllowed viewmodels and the callers Origin in small caps will be given in the parameter.
This method will be called when you use RestAllowed Viewmodels and the caller's Origin in small caps will be given in the parameter.


This example returns true for all -> that means that all origins are ok.
This example returns true for all -> which means that all origins are ok.


A more realistic implementation might be  
A more realistic implementation might be:
  MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed
  MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed
The check is cached in a internal Dictionary for 10 minutes - changes will only be discovered in 10 minutes intervalls.
The check is cached in an internal Dictionary for 10 minutes - changes will be discovered in 10-minute intervals.


If the model pattern is wrong you get an exception in turnkey log:  
If the model pattern is wrong, you get an exception in the Turnkey log:  
  CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)
  CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)
NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above since middleware will overwrite.
'''NOTE''' - if you have Cors-middleware in IIS or Cassini, you will not see the effect from the above since middleware will overwrite.


If cors headers are applied this is what we apply:
If Cors headers are applied, this is what we apply:
  Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
  Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
  Response.Headers.Add("Access-Control-Allow-Credentials", "true");
  Response.Headers.Add("Access-Control-Allow-Credentials", "true");
Line 46: Line 51:
  Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET");  
  Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET");  
  Response.Headers.Add("Vary", "Origin");
  Response.Headers.Add("Vary", "Origin");
You may also send (not recommended due to open nature of web) credentials in basic authentication scheme:
You may also send (not recommended due to the open nature of the web) the credentials in the basic authentication scheme:
<pre>
<pre>
function myFunction(){
function myFunction(){
Line 66: Line 71:
</pre>
</pre>


==== Writing to ViewModels from javascript ====
==== Writing to ViewModels from Javascript ====
Post data to a ViewModel driven MDriven Form you can go like this:  
Post data to a ViewModel-driven MDriven Form (i.e., not the best way - but rather injecting data into standard UI) - you can proceed like this:  
<pre>
<pre>
         let formData = new FormData();
         let formData = new FormData();
         formData.append("Filter", "v");
         formData.append("Filter", "v");
         fetch('https://openschema.azurewebsites.net/TurnkeyRest/Post?command=AutoFormSysUserSeeker', {
         fetch('https://YOURTURNKEYSITE/TurnkeyRest/Post?command=AutoFormSysUserSeeker', {
             headers: new Headers(),
             headers: new Headers(),
             method: "POST",
             method: "POST",
Line 88: Line 93:
             });
             });
</pre>
</pre>
[[Category:Security]]
[[Category:IIS]]
{{Edited|July|12|2024}}
[[Category:TOC]]

Latest revision as of 13:46, 26 March 2024

Definition

Find a good description for CORS (Cross-Origin Resource Sharing) at this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Learn more about CORS here: https://youtube.com/watch?v=Ka8vG5miErk

Enabling CORS

To enable CORS on IIS - all sites on the machine:

Add a or change web.config on the root website (Default Web site):

<?xml version="1.0" encoding="utf-8"?>  
<configuration>    
  <system.webServer>      
    <cors enabled="true" failUnlistedOrigins="true">
      <add origin="*"/>
      <add origin="https://www.test-cors.org" allowCredentials="true" >
        <allowHeaders allowAllRequestedHeaders="true"/>
      </add>
    </cors>
  </system.webServer>  
</configuration>

To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced upon update.

Details from the IIS team on how to configure CORS using XML (like above):

To test that CORS is active, you can use this online tool, for example, https://www.test-cors.org/.

Just enter the root URL of your site in "Remote URL".

Contender Implementation - Cors With Dynamic Decisions

To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern:

2020-09-16 17h27 21.png

Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean

This method will be called when you use RestAllowed Viewmodels and the caller's Origin in small caps will be given in the parameter.

This example returns true for all -> which means that all origins are ok.

A more realistic implementation might be:

MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed

The check is cached in an internal Dictionary for 10 minutes - changes will be discovered in 10-minute intervals.

If the model pattern is wrong, you get an exception in the Turnkey log:

CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)

NOTE - if you have Cors-middleware in IIS or Cassini, you will not see the effect from the above since middleware will overwrite.

If Cors headers are applied, this is what we apply:

Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
Response.Headers.Add("Access-Control-Allow-Credentials", "true");
Response.Headers.Add("Access-Control-Allow-Headers", "authorization"); 
Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET"); 
Response.Headers.Add("Vary", "Origin");

You may also send (not recommended due to the open nature of the web) the credentials in the basic authentication scheme:

function myFunction(){
        $.ajax({
            type: "get",
            url: "http://localhost:5052/TurnkeyRest/Get?command=AutoFormClass1x&id=1!45",
            xhrFields: { withCredentials: true },
            headers: {
                "Authorization": "Basic " + btoa("theuser:thepwd")
            }
        }).done(function (data) {
            debugger;
            $('#value1').text(data);
        }).fail(function (jqXHR, textStatus, errorThrown) {
            debugger;
            $('#value1').text(jqXHR.responseText || textStatus);
        });
        }

Writing to ViewModels from Javascript

Post data to a ViewModel-driven MDriven Form (i.e., not the best way - but rather injecting data into standard UI) - you can proceed like this:

        let formData = new FormData();
        formData.append("Filter", "v");
        fetch('https://YOURTURNKEYSITE/TurnkeyRest/Post?command=AutoFormSysUserSeeker', {
            headers: new Headers(),
            method: "POST",
            mode: 'cors',
            body: formData
        }).then((response) => {
                if (response.ok) {
                    return response.json()
                } else {
                    //
                }
            }).then((responseJsonData) => {
                callback && callback(responseJsonData);
            }).catch((error) => {
                console.log("getWatchHistory error " + error);
            });
This page was edited more than 9 months ago on 03/26/2024. What links here