-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement CORS Support #86
Comments
Before this feature be implemented, in case someone need CORS support. Could add following before sending response.
|
I couldn't get around enabling CORS together with authentication, any ideas? |
@lacu I just checked my code from a couple of months ago, this is all that I had to add for CORS to work in my setup: context.Response.AddHeader("Access-Control-Allow-Origin", "*");
context.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With"); If you are doing auth then it doesn't work, I had to remove auth for CORS to work: This doesn't work with CORS: server.Advanced.AuthenticationSchemes = System.Net.AuthenticationSchemes.Basic; If you find some way to get both working together please share, I'm interested :) |
@DavidFlamini , [RestRoute(HttpMethod = HttpMethod.PUT, PathInfo = @"^/ticket(\?[^/]*)?$")]
[RestRoute(HttpMethod = HttpMethod.PUT, PathInfo = @"^/ticket:(\?[^/]*)?$")]
[RestRoute(HttpMethod = HttpMethod.PUT, PathInfo ="/ticket")]
[RestRoute(HttpMethod = HttpMethod.OPTIONS, PathInfo = "/ticket")]
public IHttpContext Ticket(IHttpContext context)
{
context.Response.AddHeader("Access-Control-Allow-Origin", "*");
context.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With"); |
@lacu If I remember correctly, unless you are setting it upstream, then yes. You could have an upstream route set those for you, too. Please check here: https://sukona.github.io/Grapevine/en/getting-started.html "Responding To Requests" |
Hi, today I wanted to test locally with both CORS + Basic Auth without configuring a proxy and run into my own post, I ended up parsing the auth header myself like so:
|
I just finished updating the text of this issue to reflect the suggestions here for implementing CORS. Thanks for all of your input, guys! |
Hi Scott -- read your notes for 5.0 beta 1 respecting the UseCorsPolicy method. I'm finding that the several overloads that accept an Allow-Origin add a trailing slash to the transmitted header value. (e.g. "https://my.domain.com/" rather than "https://my.domain.com" . Current chrome transmits a non-slashed origin (e.g. "https://my.domain.com" which causes the CORS preflight to fail as a mismatched origin. I've worked around this by adding an async Task method that can be called to add Response headers during OnRequestAsync event, and adding my own headers via the .AddHeader Response method. This works to match the origin & supplied Allow-Origin header. But this isn't likely to be the best practice for overcoming. Am I doing something wrong with UseCorsPolicy? Also, does the UseCorsPolicy respond to OPTIONS requests during preflight with a HTTP_OK? It doesn't appear to do so. I assume it should be handled with an OPTIONS route? |
Given that CORS is disabled by default when using
HttpListener
, here is a work around until I can provide a more elegant solution.Implementing CORS
You can implement access control via CORS for all requests using a
BeforeRouting
delegate. Add additional filtering logic if you only want to the policy to vary based on the request. This avoids the need to add these lines to individual routes, and allows you to manage the policy for the entire server in a single location.Following are several ways you can define your policy.
Using the Wildcard
When using the wildcard value, it is important to remember that:
Additionally, when specifying
Access-Control-Allow-Headers
header:Single Origin
When specifying a single origin, it is important to remeber that:
Additionally, the
Vary
header should be provided:Dynamic Origin
Dynamic Routes
If only some routes should allow CORS, you can put whatever logic you want to see in the delegate based on the incoming request. Just remember to follow the rules outlined above!
The text was updated successfully, but these errors were encountered: