I’m trying to CORS enable my internal domain without having a static list in CorsFeature. As I’m using allowCredentials, a wildcard isn’t going to work with Chrome, so is dynamically setting the Allow-Origin via a PreRequest filter the appropriate choice?
e.g. something like
PreRequestFilters.Add((httpReq, httpRes) =>
{
if (httpReq.Verb == "OPTIONS")
{
var origin = httpReq.Headers.Get("Origin");
if (origin != null && origin.Contains("internal.domain"))
{
httpRes.AddHeader(HttpHeaders.AllowOrigin, origin);
}
httpRes.EndRequest();
}
});
Or is there a way I can handle this use case using a CorsFeature parameter?
I guess I should have looked at the code first, didn’t realize allowOriginWhiteList was using a Contains under the covers, I was putting full URLs in the list…I should be able to get away with just putting domain names in the list without any modifications… Thanks!
Edit include reasoning: It conflates the API with a similar but custom behavior that doesn’t map cleanly to a CORS concept which would add confusion as to which one should be used, whether both need to be specified, what are the differences of each, etc. (which is hard to infer by just looking at the API Usage) a complexity cost which doesn’t justify a niche feature which hasn’t been requested before.
The CorsFeature impl is simple and small enough to maintain a modified copy so that would be the preferred solution.