Documentation:Cors: Difference between revisions

Cors

Latest revision as of 13:46, 26 March 2024

Definition

Find a good description for CORS (Cross-Origin Resource Sharing) at this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Learn more about CORS here: https://youtube.com/watch?v=Ka8vG5miErk

Enabling CORS

To enable CORS on IIS - all sites on the machine:

Add a or change web.config on the root website (Default Web site):

<?xml version="1.0" encoding="utf-8"?>  
<configuration>    
  <system.webServer>      
    <cors enabled="true" failUnlistedOrigins="true">
      <add origin="*"/>
      <add origin="https://www.test-cors.org" allowCredentials="true" >
        <allowHeaders allowAllRequestedHeaders="true"/>
      </add>
    </cors>
  </system.webServer>  
</configuration>

To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced upon update.

Details from the IIS team on how to configure CORS using XML (like above):

https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module

https://www.w3.org/wiki/CORS_Enabled

https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api

To test that CORS is active, you can use this online tool, for example, https://www.test-cors.org/.

Just enter the root URL of your site in "Remote URL".

Contender Implementation - Cors With Dynamic Decisions

To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern:

Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean

This method will be called when you use RestAllowed Viewmodels and the caller's Origin in small caps will be given in the parameter.

This example returns true for all -> which means that all origins are ok.

A more realistic implementation might be:

MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed

The check is cached in an internal Dictionary for 10 minutes - changes will be discovered in 10-minute intervals.

If the model pattern is wrong, you get an exception in the Turnkey log:

CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)

NOTE - if you have Cors-middleware in IIS or Cassini, you will not see the effect from the above since middleware will overwrite.

If Cors headers are applied, this is what we apply:

Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
Response.Headers.Add("Access-Control-Allow-Credentials", "true");
Response.Headers.Add("Access-Control-Allow-Headers", "authorization"); 
Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET"); 
Response.Headers.Add("Vary", "Origin");

You may also send (not recommended due to the open nature of the web) the credentials in the basic authentication scheme:

function myFunction(){
        $.ajax({
            type: "get",
            url: "http://localhost:5052/TurnkeyRest/Get?command=AutoFormClass1x&id=1!45",
            xhrFields: { withCredentials: true },
            headers: {
                "Authorization": "Basic " + btoa("theuser:thepwd")
            }
        }).done(function (data) {
            debugger;
            $('#value1').text(data);
        }).fail(function (jqXHR, textStatus, errorThrown) {
            debugger;
            $('#value1').text(jqXHR.responseText || textStatus);
        });
        }

Writing to ViewModels from Javascript

Post data to a ViewModel-driven MDriven Form (i.e., not the best way - but rather injecting data into standard UI) - you can proceed like this:

        let formData = new FormData();
        formData.append("Filter", "v");
        fetch('https://YOURTURNKEYSITE/TurnkeyRest/Post?command=AutoFormSysUserSeeker', {
            headers: new Headers(),
            method: "POST",
            mode: 'cors',
            body: formData
        }).then((response) => {
                if (response.ok) {
                    return response.json()
                } else {
                    //
                }
            }).then((responseJsonData) => {
                callback && callback(responseJsonData);
            }).catch((error) => {
                console.log("getWatchHistory error " + error);
            });

This page was edited 44 days ago on 03/26/2024. What links here

@@ Line 1: / Line 1: @@
-To enable cors on IIS - all sites on the machine:
+=== Definition ===
+Find a good description for CORS (Cross-Origin Resource Sharing) at this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
-Add a or change web.config on the root web site (Default Web site)<pre><?xml version="1.0" encoding="utf-8"?>
+Learn more about CORS here: https://youtube.com/watch?v=Ka8vG5miErk
+== Enabling CORS ==
+To enable CORS on IIS - all sites on the machine:
+Add a or change web.config on the root website (Default Web site):<pre><?xml version="1.0" encoding="utf-8"?>
 <configuration>
    <system.webServer>
@@ Line 11: / Line 16: @@
      </cors>
    </system.webServer>
-</configuration></pre>To do this on App level - change Web.config in the same way - but beware that web-config is part of installation and will be replaced on update.
+</configuration></pre>To do this on App level - change Web.config in the same way - but beware that web-config is part of the installation and will be replaced upon update.
-Good links:
+Details from the IIS team on how to configure CORS using XML (like above):
-* Details from the IIS team on details on how to configure CORS using XML (like above): https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
+* https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
 * https://www.w3.org/wiki/CORS_Enabled
 * https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api
-Testing that CORS is active, you can use for example this online tool. Just enter the root URL of your site in "Remote URL"
+To test that CORS is active, you can use this online tool, for example, https://www.test-cors.org/.
-https://www.test-cors.org/
+Just enter the root URL of your site in "Remote URL".
-== Contender implementation - Cors with dynamic decisions ==
+== Contender Implementation - Cors With Dynamic Decisions ==
-To allow dynamic decisions on whom to allow cors entry you can now implement this model pattern:
+To allow dynamic decisions on whom to allow Cors entry, you can now implement this model pattern:
 [[File:2020-09-16 17h27 21.png|none|thumb|608x608px]]
 Class named TK_WebCors with a static method GetAllowOrigin(org:String):Boolean
-This method will be called when you use RestAllowed viewmodels and the callers Origin in small caps will be given in the parameter.
+This method will be called when you use RestAllowed Viewmodels and the caller's Origin in small caps will be given in the parameter.
-This example returns true for all -> that means that all origins are ok.
+This example returns true for all -> which means that all origins are ok.
-A more realistic implementation might be
+A more realistic implementation might be:
   MyValidCorsCallers.allinstances->select(x|x.Origin=org)->first.Allowed
-The check is cached in a internal Dictionary for 10 minutes - changes will only be discovered in 10 minutes intervalls.
+The check is cached in an internal Dictionary for 10 minutes - changes will be discovered in 10-minute intervals.
-If the model pattern is wrong you get an exception in turnkey log:
+If the model pattern is wrong, you get an exception in the Turnkey log:
   CentralLogging("CheckCorsHeaders - check model pattern static TK_WebCors.GetAllowOrigin(vOrigin):string", ex)
-NOTE - if you have Cors-middleware in IIS or Cassini you will not see the effect from the above since middleware will overwrite.
+'''NOTE''' - if you have Cors-middleware in IIS or Cassini, you will not see the effect from the above since middleware will overwrite.
-If cors headers are applied this is what we apply:
+If Cors headers are applied, this is what we apply:
   Response.Headers.Add("Access-Control-Allow-Origin", cleanorg);
   Response.Headers.Add("Access-Control-Allow-Credentials", "true");
@@ Line 46: / Line 51: @@
   Response.Headers.Add("Access-Control-Allow-Methods", "POST, GET");
   Response.Headers.Add("Vary", "Origin");
-You may also send (not recommended due to open nature of web) credentials in basic authentication scheme:
+You may also send (not recommended due to the open nature of the web) the credentials in the basic authentication scheme:
 <pre>
 function myFunction(){
@@ Line 66: / Line 71: @@
 </pre>
-==== Writing to ViewModels from javascript ====
+==== Writing to ViewModels from Javascript ====
-Post data to a ViewModel driven MDriven Form you can go like this:
+Post data to a ViewModel-driven MDriven Form (i.e., not the best way - but rather injecting data into standard UI) - you can proceed like this:
 <pre>
          let formData = new FormData();
          formData.append("Filter", "v");
-         fetch('https://openschema.azurewebsites.net/TurnkeyRest/Post?command=AutoFormSysUserSeeker', {
+         fetch('https://YOURTURNKEYSITE/TurnkeyRest/Post?command=AutoFormSysUserSeeker', {
              headers: new Headers(),
              method: "POST",
@@ Line 88: / Line 93: @@
              });
 </pre>
+[[Category:Security]]
+[[Category:IIS]]
+{{Edited|July|12|2024}}
+[[Category:TOC]]