CORS whitelisting an entire (internal) domain

jrodrigu · November 1, 2018, 2:36pm

I’m trying to CORS enable my internal domain without having a static list in CorsFeature. As I’m using allowCredentials, a wildcard isn’t going to work with Chrome, so is dynamically setting the Allow-Origin via a PreRequest filter the appropriate choice?

e.g. something like

 PreRequestFilters.Add((httpReq, httpRes) =>
                {
                    if (httpReq.Verb == "OPTIONS")
                    {
                        var origin = httpReq.Headers.Get("Origin");
                        if (origin != null && origin.Contains("internal.domain"))
                        {
                            httpRes.AddHeader(HttpHeaders.AllowOrigin, origin);
                        }
                        httpRes.EndRequest();
                    }
                });

Or is there a way I can handle this use case using a CorsFeature parameter?

mythz · November 1, 2018, 2:42pm

I’d recommend taking a copy of CorsFeature and modifying it with your custom logic but leave everything else.

jrodrigu · November 1, 2018, 2:59pm

I guess I should have looked at the code first, didn’t realize allowOriginWhiteList was using a Contains under the covers, I was putting full URLs in the list…I should be able to get away with just putting domain names in the list without any modifications… Thanks!

jrodrigu · November 1, 2018, 3:30pm

Actually I read that wrong, the Contains is in the wrong direction for my use case …

The filter for allowedWhitelist works like so:

if (allowOriginWhitelist != null)
            {
                void allowOriginFilter(IRequest httpReq, IResponse httpRes)
                {
                    var origin = httpReq.Headers.Get(HttpHeaders.Origin);
                    if (allowOriginWhitelist.Contains(origin))
                    {
                        httpRes.AddHeader(HttpHeaders.AllowOrigin, origin);
                    }
                }

                appHost.PreRequestFilters.Add(allowOriginFilter);
            }

Would you take a PR for a new param, allowOriginDomains that reverses the comparison?

e.g.

  if (allowOriginDomains != null)
            {
                void allowOriginDomainsFilter(IRequest httpReq, IResponse httpRes)
                {
                    var origin = httpReq.Headers.Get(HttpHeaders.Origin);
                    if (allowOriginDomains.Any(origin.Contains))
                    {
                        httpRes.AddHeader(HttpHeaders.AllowOrigin, origin);
                    }
                }

                appHost.PreRequestFilters.Add(allowOriginDomainsFilter);
            }

or is that too esoteric a use case?

mythz · November 1, 2018, 3:33pm

No just maintain a local copy to satisfy your use-case.

mythz · November 1, 2018, 3:40pm

Edit include reasoning: It conflates the API with a similar but custom behavior that doesn’t map cleanly to a CORS concept which would add confusion as to which one should be used, whether both need to be specified, what are the differences of each, etc. (which is hard to infer by just looking at the API Usage) a complexity cost which doesn’t justify a niche feature which hasn’t been requested before.

The CorsFeature impl is simple and small enough to maintain a modified copy so that would be the preferred solution.

jrodrigu · November 1, 2018, 3:51pm

Completely understand… thanks for the support as always!