No edit summary |
Hans Karlsen (talk | contribs) No edit summary |
||
| Line 22: | Line 22: | ||
https://www.test-cors.org/ | https://www.test-cors.org/ | ||
== Contender implementation == | |||
To allow dynamic decisions on whom to allow cors entry you can now implement this model pattern: | |||
[[File:2020-09-16 17h27 21.png|none|thumb|608x608px]] | |||
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean | |||
This method will be called when you use RestAllowed viewmodels and the callers Origin in small caps will be given in the parameter. | |||
This example returns true for all -> that means that all origins are ok. | |||
A more realistic implementation might be | |||
MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed | |||
The check is cached in a internal Dictionary for 10 minutes - changes will only be discovered in 10 minutes intervalls. | |||
If the model pattern is wrong you get an exception in turnkey log: | |||
CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex) | |||
NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above sincve middleware will overwrite. | |||
If cors headers are applied this is what we apply: | |||
Response.Headers.Add("Access-Control-Allow-Origin", cleanorg); | |||
Response.Headers.Add("Access-Control-Allow-Credentials", "true"); | |||
Response.Headers.Add("Vary", "Origin"); | |||
Revision as of 15:36, 16 September 2020
To enable cors on IIS - all sites on the machine:
Add a or change web.config on the root web site (Default Web site)
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<cors enabled="true" failUnlistedOrigins="true">
<add origin="*"/>
<add origin="https://www.test-cors.org" allowCredentials="true" >
<allowHeaders allowAllRequestedHeaders="true"/>
</add>
</cors>
</system.webServer>
</configuration>To do this on App level - change Web.config in the same way - but beware that web-config is part of installation and will be replaced on update.
Good links:
- Details from the IIS team on details on how to configure CORS using XML (like above): https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
Testing that CORS is active, you can use for example this online tool. Just enter the root URL of your site in "Remote URL"
Contender implementation
To allow dynamic decisions on whom to allow cors entry you can now implement this model pattern:
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean
This method will be called when you use RestAllowed viewmodels and the callers Origin in small caps will be given in the parameter.
This example returns true for all -> that means that all origins are ok.
A more realistic implementation might be
MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed
The check is cached in a internal Dictionary for 10 minutes - changes will only be discovered in 10 minutes intervalls.
If the model pattern is wrong you get an exception in turnkey log:
CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)
NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above sincve middleware will overwrite.
If cors headers are applied this is what we apply:
Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
Response.Headers.Add("Access-Control-Allow-Credentials", "true");
Response.Headers.Add("Vary", "Origin");