FYI: Cors fails when comma separated items contain whitespace

mbalsam · June 7, 2019, 8:16pm

We have many hosts in our CORS string. In the log file we put each one on its own line, so we can see whats what.

<add key="PortalCorsOriginUrl" value="http://localhost:4200,
http://localhost:4300,
http://10.1.1.56:4200,
http://192.168.0.101:4200,
http://192.168.0.101:4300,
http://10.1.1.160:4200,
http://10.1.1.160:4300,

"/>

We found that this broke Cors, as items on lines that started with CR or spaces were not detected.

        var origin = G.SystemConfig.PortalCorsOriginUrl;
        var originList = origin.Split(',');
         Plugins.Add(new CorsFeature(allowOriginWhitelist: originList,allowed):

To fix it we needed to add

        var origin = G.SystemConfig.PortalCorsOriginUrl;
        var originList = origin.Split(',').Select(r => r.Trim()).ToList();
        Plugins.Add(new CorsFeature(allowOriginWhitelist: originList, allowed:

Not sure if its a bug, but its a very difficult issue to track down.

mythz · June 7, 2019, 8:21pm

Plugin properties have no coupling to the configuration sources you’re using, make sure the properties you populate use valid configuration, you should not be expecting configuration properties to santize your invalid inputs, it will use whatever you specify.

mbalsam · June 7, 2019, 8:27pm

Understood. Its just a FYI to others… Thanks.