locked
Do wildcard on Cors origins supported to specify subdomains? RRS feed

  • Question

  • User1927794951 posted

    In http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api it's described

    The origins parameter of the [EnableCors] attribute specifies which origins are allowed to access the resource. The value is a comma-separated list of the allowed origins.

    [EnableCors(origins: "http://www.contoso.com,http://www.example.com", 
        headers: "*", methods: "*")]

    You can also use the wildcard value “*” to allow requests from any origins.

    Do wildcard on Cors origins supported to specify subdomains? 

    e.g. will the following work for www.contoso.com  and xxx.example.com

    [EnableCors(origins: "http://*.contoso.com,http://*.example.com" , headers: "*", methods: "*")]

    Wednesday, May 11, 2016 1:05 AM

Answers

  • User36583972 posted

    Hi  MNF,

    Do wildcard on Cors origins supported to specify subdomains? 

    NO. But, you can implement this dynamic for *.mydomain.com without the wildcard. You can refer the following method (Custom CORS Policy Providers).

    MyCorsPolicy class:

    public class MyCorsPolicy : Attribute, ICorsPolicyProvider
        {
            public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            {
                var policy = new CorsPolicy();
                var requestUri = request.RequestUri;
                var authority = requestUri.Authority.ToLowerInvariant();
                if (authority.EndsWith(".mydomain.com") || authority == "mydomain.com")
                {
                    // returns a url with scheme, host and port(if different than 80/443) without any path or querystring
                    var origin = requestUri.GetComponents(System.UriComponents.SchemeAndServer, System.UriFormat.SafeUnescaped);
                    policy.Origins.Add(origin);
                }
    
                return Task.FromResult(policy);
            }
        }
    
    
        [MyCorsPolicy]
        public class TestController : ApiController
        {
        }
    

    ASP.NET Web API - CORS Support in ASP.NET Web API 2:

    https://msdn.microsoft.com/en-us/magazine/dn532203.aspx

    Best Regards,

    Yohann Lu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, May 11, 2016 1:53 AM

All replies

  • User1779161005 posted

    > Do wildcard on Cors origins supported to specify subdomains?

    No.

    Wednesday, May 11, 2016 1:24 AM
  • User36583972 posted

    Hi  MNF,

    Do wildcard on Cors origins supported to specify subdomains? 

    NO. But, you can implement this dynamic for *.mydomain.com without the wildcard. You can refer the following method (Custom CORS Policy Providers).

    MyCorsPolicy class:

    public class MyCorsPolicy : Attribute, ICorsPolicyProvider
        {
            public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            {
                var policy = new CorsPolicy();
                var requestUri = request.RequestUri;
                var authority = requestUri.Authority.ToLowerInvariant();
                if (authority.EndsWith(".mydomain.com") || authority == "mydomain.com")
                {
                    // returns a url with scheme, host and port(if different than 80/443) without any path or querystring
                    var origin = requestUri.GetComponents(System.UriComponents.SchemeAndServer, System.UriFormat.SafeUnescaped);
                    policy.Origins.Add(origin);
                }
    
                return Task.FromResult(policy);
            }
        }
    
    
        [MyCorsPolicy]
        public class TestController : ApiController
        {
        }
    

    ASP.NET Web API - CORS Support in ASP.NET Web API 2:

    https://msdn.microsoft.com/en-us/magazine/dn532203.aspx

    Best Regards,

    Yohann Lu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, May 11, 2016 1:53 AM
  • User1927794951 posted
    @yohann,Thanks for the answer. I haven't realize that the policy attribute is called for each request and has access to request uri. It will do what I want.
    Friday, May 13, 2016 11:57 PM