After multiple hours of reading, I came up that the IIS doesn't support more than one"Access-Control-Allow-Origin"
header.
Also setting the value with "*"
isn't allowed with error:
A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access.
Other SO questions came up with solutions like this one or this one but I don't know where I do have to change the header.
My application is written in .NET and I'm using IIS 8.5. My target is to do a CORS request for multiple origin domains. Do I have to write a IHttpModule to handle the origin header?
I came up with my own solution which also works like Google+ or Facebook auth. Here is another SO question based on iFrame auth
You can use an iFrame as middleware. Within the iFrame I make a request to my application on same origin/domain.
For example:
My application comes from www.domainA.com another from www.domainB.com and both of them do contain an iFrame from www.hostingdomain.com.
From www.hostingdomain.com I do make a call to my webservice and set a cookie based on .NET FormsAuthentication. For IE you do have to use the P3P to set a 3rd party cookie .
You can use IIS CORS Module: https://www.iis.net/downloads/microsoft/iis-cors-module
Your web.config should be something like this replacing [origin_#] for your domains:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<cors enabled="true" failUnlistedOrigins="true">
<add origin="[origin_1]">
<allowMethods>
<add method="GET" />
<add method="HEAD" />
<add method="POST" />
<add method="PUT" />
<add method="DELETE" />
</allowMethods>
</add>
<add origin="[origin_2]">
<allowMethods>
<add method="GET" />
<add method="HEAD" />
<add method="POST" />
<add method="PUT" />
<add method="DELETE" />
</allowMethods>
</add>
</cors>
</system.webServer>
</configuration>
You can find the configuration reference in here: https://docs.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.