No edit summary
No edit summary
Line 46: Line 46:
  Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET");  
  Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET");  
  Response.Headers.Add("Vary", "Origin");
  Response.Headers.Add("Vary", "Origin");
You may also send (not recommended due to open nature of web) credentials in basic authentication scheme:

Revision as of 10:09, 17 September 2020

To enable cors on IIS - all sites on the machine:

Add a or change web.config on the root web site (Default Web site)

<?xml version="1.0" encoding="utf-8"?>  
    <cors enabled="true" failUnlistedOrigins="true">
      <add origin="*"/>
      <add origin="" allowCredentials="true" >
        <allowHeaders allowAllRequestedHeaders="true"/>

To do this on App level - change Web.config in the same way - but beware that web-config is part of installation and will be replaced on update.

Good links:

Testing that CORS is active, you can use for example this online tool. Just enter the root URL of your site in "Remote URL"

Contender implementation - Cors with dynamic decisions

To allow dynamic decisions on whom to allow cors entry you can now implement this model pattern:

2020-09-16 17h27 21.png

Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean

This method will be called when you use RestAllowed viewmodels and the callers Origin in small caps will be given in the parameter.

This example returns true for all -> that means that all origins are ok.

A more realistic implementation might be


The check is cached in a internal Dictionary for 10 minutes - changes will only be discovered in 10 minutes intervalls.

If the model pattern is wrong you get an exception in turnkey log:

CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)

NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above since middleware will overwrite.

If cors headers are applied this is what we apply:

Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
Response.Headers.Add("Access-Control-Allow-Credentials", "true");
Response.Headers.Add("Access-Control-Allow-Headers", "authorization"); 
Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET"); 
Response.Headers.Add("Vary", "Origin");

You may also send (not recommended due to open nature of web) credentials in basic authentication scheme:

This page was edited more than 10 months ago on 03/26/2024. What links here