简体繁体 English

Azure AD B2C页面UI自定义的CORS配置

[英]CORS Configuration for Azure AD B2C Page UI Customization

原文 2018-06-02 18:29:06 3 1 azure/ azure-active-directory/ azure-ad-b2c/ azure-blob-storage

I'm using a custom page UI template for my Azure AD B2C sign in/sign up and I want to know what domain I need to use in CORS configuration in my Azure Blob Storage account. 我正在为Azure AD B2C登录/注册使用自定义页面UI模板，我想知道我需要在Azure Blob存储帐户的CORS配置中使用哪个域。

Login page seems to come from https://login.microsoftonline.com . 登录页面似乎来自https://login.microsoftonline.com 。 Is that the correct origin? 那是正确的起源吗？

When I use the StorageClient command line tool Microsoft created for uploading my custom UI files to my Azure Blob Storage, I've noticed that it sets it to * for Allowed Origins which the documentation indicates as well. 当我使用Microsoft创建的StorageClient命令行工具将我的自定义UI文件上传到我的Azure Blob存储时，我注意到该文件也将其设置为* Allowed Origins 。 Here's the documentation: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-ui-customization-custom-dynamic#step-3-configure-cors-in-azure-app-service 这是文档： https : //docs.microsoft.com/zh-cn/azure/active-directory-b2c/active-directory-b2c-ui-customization-custom-dynamic#step-3-configure-cors-in- Azure应用服务

I don't think this is really secure and I want to limit it to only those domains that are absolutely necessary. 我认为这不是真的安全，我想将其限制为仅那些绝对必要的域。

I want to do this for two reasons, both of which are pretty important: 我要这样做有两个原因，这两个原因都很重要：

I want to keep security as tight as possible and allowing any origin doesn't seem secure. 我想保持尽可能严格的安全性，并且允许任何来源似乎都不安全。
More importantly, CORS is set at service level on Azure Blob Storage and not container level. 更重要的是， CORS是在Azure Blob存储的服务级别而不是容器级别设置的。 I have other containers under the same storage account that contain user files. 我在同一存储帐户下还有其他包含用户文件的容器。 Those files should only be accessible from my app which creates a SAS to allow access to them. 只能从我的应用程序访问这些文件，该应用程序创建了SAS以允许对其进行访问。 If I set the Allowed Origins for CORS to any, it will make my app less secure even though the protected files will still require a SAS. 如果我将CORS的“ Allowed Origins设置为任何值，即使受保护的文件仍需要SAS，也会使我的应用程序安全性降低。 As I said before, I want to keep security as tight as possible. 正如我之前所说，我想保持尽可能严格的安全性。

So, the question is: what URL should I enter under Allowed Origins in my CORS configuration for Azure AD B2C? 因此，问题是：在Azure AD B2C的CORS配置中，我应在“ Allowed Origins下输入哪个URL？ I don't just want to make the assumption that it's https://login.microsoftonline.com because Microsoft usually does a few redirects in their services and I want to make sure all the necessary origins are included. 我不只是要假设它是https://login.microsoftonline.com因为Microsoft通常会在其服务中进行一些重定向，并且我想确保所有必需的来源都包括在内。