Clever Geek Handbook

Can someone implement a CorsPolicy implementation with an explicit Origins list?

Link to SignalR API Guide

specifies the following information in the configuration comments:

// Setup the CORS middleware to run before SignalR.
// By default this will allow all origins. You can 
// configure the set of origins and/or http verbs by
// providing a cors options with a different policy.
map.UseCors(CorsOptions.AllowAll);

however, the Origins property for System.Web.CorsPolicy has a private setter, no constructor to input raw data, and no public customization method. As far as the Origins list goes, it seems like it exposes the "AllowAllOrigins" property and then the useless Getinsins source that only reflects the empty list created when the CorsPolicy was built.

Of particular note, the default app.UseCors (CorsOptions.AllowAll) setting is completely incoherent. By its own tooltip, it is "Policy that allows all headers, all methods, any origin, and supports credentials."

A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true

My configuration is currently a "silly simple" SignalR configuration

public void Configuration(IAppBuilder app)
{                
    app.UseCors(CorsOptions.AllowAll);
    app.MapSignalR();
}

Can anyone provide a Microsoft.Owin.Cors.CorsMiddleware example that overrides the "AllowAll" options with an explicit "Access-Control-Allow-Origin" list?

+3


source to share


1 answer


Have you reviewed the source for CorsOptions.AllowAll

? It shows how it is created CorsOptions

. You could do something like

var policy = new CorsPolicy
{
    AllowAnyHeader = true,
    AllowAnyMethod = true,
    AllowAnyOrigin = false, // False by default, just left it here.
    SupportsCredentials = true
};

policy.Origins.Add("http://foo.example.com");

app.UseCors(new CorsOptions
{
    PolicyProvider = new CorsPolicyProvider
    {
        PolicyResolver = context => Task.FromResult(policy)
    }
});


As you can see, you are setting a property PolicyResolver

that is Func<IOwinRequest, Task<CorsPolicy>>

. Based on IOwinContext

(for the current request) you need to return CorsPolicy

(also see its source ). This should have the properties you need to fine-tune your policy. List properties have private setters (perhaps to avoid potential pointers null

), but they are all initialized in the default constructor, so you can add to them.

+8


source






More articles:


All Articles