Hans Karlsen (talk | contribs) No edit summary |
Hans Karlsen (talk | contribs) No edit summary |
||
| Line 38: | Line 38: | ||
If the model pattern is wrong you get an exception in turnkey log: | If the model pattern is wrong you get an exception in turnkey log: | ||
CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex) | CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex) | ||
NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above | NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above since middleware will overwrite. | ||
If cors headers are applied this is what we apply: | If cors headers are applied this is what we apply: | ||
Revision as of 15:37, 16 September 2020
To enable cors on IIS - all sites on the machine:
Add a or change web.config on the root web site (Default Web site)
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<cors enabled="true" failUnlistedOrigins="true">
<add origin="*"/>
<add origin="https://www.test-cors.org" allowCredentials="true" >
<allowHeaders allowAllRequestedHeaders="true"/>
</add>
</cors>
</system.webServer>
</configuration>To do this on App level - change Web.config in the same way - but beware that web-config is part of installation and will be replaced on update.
Good links:
- Details from the IIS team on details on how to configure CORS using XML (like above): https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
Testing that CORS is active, you can use for example this online tool. Just enter the root URL of your site in "Remote URL"
Contender implementation
To allow dynamic decisions on whom to allow cors entry you can now implement this model pattern:
Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean
This method will be called when you use RestAllowed viewmodels and the callers Origin in small caps will be given in the parameter.
This example returns true for all -> that means that all origins are ok.
A more realistic implementation might be
MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed
The check is cached in a internal Dictionary for 10 minutes - changes will only be discovered in 10 minutes intervalls.
If the model pattern is wrong you get an exception in turnkey log:
CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)
NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above since middleware will overwrite.
If cors headers are applied this is what we apply:
Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
Response.Headers.Add("Access-Control-Allow-Credentials", "true");
Response.Headers.Add("Vary", "Origin");