1

After multiple hours of reading, I came up that the IIS doesn't support more than one
"Access-Control-Allow-Origin" header.

Also setting the value with "*" isn't allowed with error:

A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access.

Other SO questions came up with solutions like this one or this one but I don't know where I do have to change the header.

My application is written in .NET and I'm using IIS 8.5. My target is to do a CORS request for multiple origin domains. Do I have to write a IHttpModule to handle the origin header?

Community
  • 1
  • 1
webprogrammer
  • 782
  • 14
  • 26
  • Why exactly do you need both credentials and multiple origins? – Erik Funkenbusch Jun 18 '15 at 14:45
  • @ErikFunkenbusch Because one page makes another request but isn't allowed if not authenticated. – webprogrammer Jun 18 '15 at 14:58
  • I don't understand what you mean... you're going to have to be more descriptive. – Erik Funkenbusch Jun 18 '15 at 15:29
  • @ErikFunkenbusch I mean that I have a CORS request from domain A, B, C. In the web.config you just can add one ACAO `` I need more than domain A! So I have to send the changed origin header back to accept more than one domain. If I change the value to `*` the CORS request isn't working on client side - e. g. Google Chrome, FireFox and so on. – webprogrammer Jun 19 '15 at 06:24
  • That still doesn't answer my question. WHY do you need this? I didn't ask WHAT you needed, I asked WHY you needed it. The standard doesn't allow it. There's nothing you can do to change that. The only possible solution is, in code, look at the requests domain, then dynamically issue the ACAO for that domain. – Erik Funkenbusch Jun 19 '15 at 14:00
  • @ErikFunkenbusch - I think "WHY" isnt really usefull - his question was how to solve it with the two links -> How to use the solution from the two links... – Cadburry Jun 22 '15 at 06:02
  • @ErikFunkenbusch, as I wrote I need this for multiple client software with different Domains. e. g. for hosting environment + inhouse environment. I know I can whitelist them on the firewall - but I want it on software side. Please consider that I don't have access to the firewall. My current state is, that I'm unable to do so - so I came up with iframe solution. http://stackoverflow.com/questions/4701922/how-does-facebook-set-cross-domain-cookies-for-iframes-on-canvas-pages – webprogrammer Jun 22 '15 at 14:03

2 Answers2

1

I came up with my own solution which also works like Google+ or Facebook auth. Here is another SO question based on iFrame auth

You can use an iFrame as middleware. Within the iFrame I make a request to my application on same origin/domain.

For example:

My application comes from www.domainA.com another from www.domainB.com and both of them do contain an iFrame from www.hostingdomain.com.

From www.hostingdomain.com I do make a call to my webservice and set a cookie based on .NET FormsAuthentication. For IE you do have to use the P3P to set a 3rd party cookie.

Community
  • 1
  • 1
webprogrammer
  • 782
  • 14
  • 26
1

You can use IIS CORS Module: https://www.iis.net/downloads/microsoft/iis-cors-module

Your web.config should be something like this replacing [origin_#] for your domains:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
            <add origin="[origin_1]">
                <allowMethods>                    
                    <add method="GET" />
                    <add method="HEAD" />
                    <add method="POST" />
                    <add method="PUT" /> 
                    <add method="DELETE" /> 
                </allowMethods>
            </add>
            <add origin="[origin_2]">
                <allowMethods>
                    <add method="GET" />
                    <add method="HEAD" />
                    <add method="POST" />
                    <add method="PUT" /> 
                    <add method="DELETE" /> 
                </allowMethods>
            </add>
        </cors>
    </system.webServer>
</configuration>

You can find the configuration reference in here: https://docs.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference

Mario Arturo
  • 191
  • 1
  • 8