CORS same origin policy

jezzsantos · July 1, 2019, 11:29pm

Looking at docs, it is not clear to me how to set up CORS for same origin policy.
https://docs.servicestack.net/corsfeature

i.e. for a JS SPA client and its associated service API that exists on the same webserver that the JS App is served from.

How to achieve the same origin policy with the CorsFeature?

Ideally, I do not want to hardcode a string of the current host, port into the ctor, since that will change at runtime, and could be gotten either from config or from http request.

mythz · July 2, 2019, 2:09am

The whole point of Cross-origin-resource sharing (CORS) is to allow “cross-domain requests” which are disabled by default by the browsers same-origin security policy, if you only wanted to allow same-origin requests you wouldn’t need to register CORS at all - that’s the browsers default policy.

Otherwise you can specify which origins you want to allow access in the allowOriginWhitelist:

Plugins.Add(new CorsFeature(
    allowOriginWhitelist: new[] { "http://localhost","http://localhost:5000","http://run.plnkr.co" },
    allowCredentials: true,
    allowedHeaders: "Content-Type, Allow, Authorization, X-Args"));

jezzsantos · July 2, 2019, 7:02am

Thanks. Might be worth adding that point to the docs.

So that devs know how to configure SameOriginPolicy for specific services to be secure?

mythz · July 2, 2019, 8:11am

I don’t understand exactly what you’re asking, are you asking about something other than same origin policy? Maybe like Same Site Cookies? or something else?

Same origin is the default, you can only be unsafe by enabling CORS when you don’t want it, you literally have to do nothing. I’m not sure where the confusion is? no-one has asked about how to enable the default same origin security policy - it’s always about how to enable CORS to enable their cross-domain requests from working.

jezzsantos · July 2, 2019, 10:11am

I am trying to say that devs who don’t know that ‘Same Origin Policy’ is the default, and therefore it requires no headers to be sent, and therefore they don’t need to configure the CorsFeature at all. Is just a useful bit of information they could/should read in the docs. - thats all.

mythz · July 2, 2019, 11:02am

Devs who know what Same Origin Policy means will know that’s browsers default behavior, I mean the existence of the term is because of the restriction browsers added and the reason why CORS even exists. Anyone wanting to enable CORS wants to know how they can enable it, not how they can restrict the very thing they want to enable.

Docs should not waste real-estate on things no-one’s looking for and why I’m confused about what exactly is being asked.