Cors
No edit summary
(Adding page to Category:TOC because it contains a TOC.)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=== Definition ===
Find a good description for CORS (Cross-Origin Resource Sharing) at this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Learn more about CORS here: https://youtube.com/watch?v=Ka8vG5miErk
== Enabling CORS ==
== Enabling CORS ==
To enable CORS on IIS - all sites on the machine:  
To enable CORS on IIS - all sites on the machine:  


Add a or change web.config on the root website (Default Web site)<pre><?xml version="1.0" encoding="utf-8"?>   
Add a or change web.config on the root website (Default Web site):<pre><?xml version="1.0" encoding="utf-8"?>   
<configuration>     
<configuration>     
   <system.webServer>       
   <system.webServer>       
Line 12: Line 16:
     </cors>
     </cors>
   </system.webServer>   
   </system.webServer>   
</configuration></pre>To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced on update.
</configuration></pre>To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced upon update.


Good links:
Details from the IIS team on how to configure CORS using XML (like above):
* Details from the IIS team on details on how to configure CORS using XML (like above): https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module  
* https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module  


* https://www.w3.org/wiki/CORS_Enabled
* https://www.w3.org/wiki/CORS_Enabled


* https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api
* https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api
To test that CORS is active, you can use this online tool, for example. Just enter the root URL of your site in "Remote URL"
To test that CORS is active, you can use this online tool, for example, https://www.test-cors.org/.


https://www.test-cors.org/
Just enter the root URL of your site in "Remote URL".


== Contender Implementation - Cors with Dynamic Decisions ==
== Contender Implementation - Cors With Dynamic Decisions ==
To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern:
To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern:
[[File:2020-09-16 17h27 21.png|none|thumb|608x608px]]
[[File:2020-09-16 17h27 21.png|none|thumb|608x608px]]
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean


This method will be called when you use RestAllowed Viewmodels and the callers Origin in small caps will be given in the parameter.
This method will be called when you use RestAllowed Viewmodels and the caller's Origin in small caps will be given in the parameter.


This example returns true for all -> which means that all origins are ok.
This example returns true for all -> which means that all origins are ok.
Line 35: Line 39:
A more realistic implementation might be:  
A more realistic implementation might be:  
  MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed
  MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed
The check is cached in an internal Dictionary for 10 minutes - changes will only be discovered in 10-minute intervals.
The check is cached in an internal Dictionary for 10 minutes - changes will be discovered in 10-minute intervals.


If the model pattern is wrong, you get an exception in the turnkey log:  
If the model pattern is wrong, you get an exception in the Turnkey log:  
  CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)
  CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)
NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above since middleware will overwrite.
'''NOTE''' - if you have Cors-middleware in IIS or Cassini, you will not see the effect from the above since middleware will overwrite.


If cors headers are applied, this is what we apply:
If Cors headers are applied, this is what we apply:
  Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
  Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
  Response.Headers.Add("Access-Control-Allow-Credentials", "true");
  Response.Headers.Add("Access-Control-Allow-Credentials", "true");
Line 67: Line 71:
</pre>
</pre>


==== Writing to ViewModels from javascript ====
==== Writing to ViewModels from Javascript ====
Post data to a ViewModel driven MDriven Form (ie not the best way - but rather just injecting data into standard UI) you can proceed like this:  
Post data to a ViewModel-driven MDriven Form (i.e., not the best way - but rather injecting data into standard UI) - you can proceed like this:  
<pre>
<pre>
         let formData = new FormData();
         let formData = new FormData();
Line 91: Line 95:
[[Category:Security]]
[[Category:Security]]
[[Category:IIS]]
[[Category:IIS]]
{{Edited|July|12|2024}}
[[Category:TOC]]

Latest revision as of 13:46, 26 March 2024

Definition

Find a good description for CORS (Cross-Origin Resource Sharing) at this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Learn more about CORS here: https://youtube.com/watch?v=Ka8vG5miErk

Enabling CORS

To enable CORS on IIS - all sites on the machine:

Add a or change web.config on the root website (Default Web site):

<?xml version="1.0" encoding="utf-8"?>  
<configuration>    
  <system.webServer>      
    <cors enabled="true" failUnlistedOrigins="true">
      <add origin="*"/>
      <add origin="https://www.test-cors.org" allowCredentials="true" >
        <allowHeaders allowAllRequestedHeaders="true"/>
      </add>
    </cors>
  </system.webServer>  
</configuration>

To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced upon update.

Details from the IIS team on how to configure CORS using XML (like above):

To test that CORS is active, you can use this online tool, for example, https://www.test-cors.org/.

Just enter the root URL of your site in "Remote URL".

Contender Implementation - Cors With Dynamic Decisions

To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern:

2020-09-16 17h27 21.png

Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean

This method will be called when you use RestAllowed Viewmodels and the caller's Origin in small caps will be given in the parameter.

This example returns true for all -> which means that all origins are ok.

A more realistic implementation might be: 

MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed

The check is cached in an internal Dictionary for 10 minutes - changes will be discovered in 10-minute intervals.

If the model pattern is wrong, you get an exception in the Turnkey log: 

CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)

NOTE - if you have Cors-middleware in IIS or Cassini, you will not see the effect from the above since middleware will overwrite.

If Cors headers are applied, this is what we apply: 

Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
Response.Headers.Add("Access-Control-Allow-Credentials", "true");
Response.Headers.Add("Access-Control-Allow-Headers", "authorization"); 
Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET"); 
Response.Headers.Add("Vary", "Origin");

You may also send (not recommended due to the open nature of the web) the credentials in the basic authentication scheme: 

function myFunction(){
        $.ajax({
            type: "get",
            url: "http://localhost:5052/TurnkeyRest/Get?command=AutoFormClass1x&id=1!45",
            xhrFields: { withCredentials: true },
            headers: {
                "Authorization": "Basic " + btoa("theuser:thepwd")
            }
        }).done(function (data) {
            debugger;
            $('#value1').text(data);
        }).fail(function (jqXHR, textStatus, errorThrown) {
            debugger;
            $('#value1').text(jqXHR.responseText || textStatus);
        });
        }

Writing to ViewModels from Javascript

Post data to a ViewModel-driven MDriven Form (i.e., not the best way - but rather injecting data into standard UI) - you can proceed like this: 

        let formData = new FormData();
        formData.append("Filter", "v");
        fetch('https://YOURTURNKEYSITE/TurnkeyRest/Post?command=AutoFormSysUserSeeker', {
            headers: new Headers(),
            method: "POST",
            mode: 'cors',
            body: formData
        }).then((response) => {
                if (response.ok) {
                    return response.json()
                } else {
                    //
                }
            }).then((responseJsonData) => {
                callback && callback(responseJsonData);
            }).catch((error) => {
                console.log("getWatchHistory error " + error);
            });
This page was edited more than 9 months ago on 03/26/2024. What links here
Retrieved from "https://newwikicopy.mdriven.net/index.php?title=Documentation:Cors&oldid=17720"

© MDRIVEN . All Rights Reserved

Glossary API Docs
MDriven World | Portal | Blog | YouTube | StackOverflow | Facebook

© MDRIVEN . All Rights Reserved