stackoom
  简体   繁体   中英

How can I allow multiple domains by using "Access-Control-Allow-Origin" in IIS 8

 原文  2015-06-18 14:35:05       c#/ asp.net/ vb.net/ iis/ cors

Question

After multiple hours of reading, I came up that the IIS doesn't support more than one
"Access-Control-Allow-Origin" header.

Also setting the value with "*" isn't allowed with error:

A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access.

Other SO questions came up with solutions like this one or this one but I don't know where I do have to change the header.

My application is written in .NET and I'm using IIS 8.5. My target is to do a CORS request for multiple origin domains. Do I have to write a IHttpModule to handle the origin header?

2 answers

solution1
 1 ACCPTED  2015-06-25 07:25:24

I came up with my own solution which also works like Google+ or Facebook auth. Here is another SO question based on iFrame auth

You can use an iFrame as middleware. Within the iFrame I make a request to my application on same origin/domain.

For example:

My application comes from www.domainA.com another from www.domainB.com and both of them do contain an iFrame from www.hostingdomain.com.

From www.hostingdomain.com I do make a call to my webservice and set a cookie based on .NET FormsAuthentication. For IE you do have to use the P3P to set a 3rd party cookie .

solution2
 1  2020-05-21 15:12:27

You can use IIS CORS Module: https://www.iis.net/downloads/microsoft/iis-cors-module

Your web.config should be something like this replacing [origin_#] for your domains:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
            <add origin="[origin_1]">
                <allowMethods>                    
                    <add method="GET" />
                    <add method="HEAD" />
                    <add method="POST" />
                    <add method="PUT" /> 
                    <add method="DELETE" /> 
                </allowMethods>
            </add>
            <add origin="[origin_2]">
                <allowMethods>
                    <add method="GET" />
                    <add method="HEAD" />
                    <add method="POST" />
                    <add method="PUT" /> 
                    <add method="DELETE" /> 
                </allowMethods>
            </add>
        </cors>
    </system.webServer>
</configuration>

You can find the configuration reference in here: https://docs.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access-Control-Allow-Origin is in IIS, but not working Multiple Access-Control-Allow-Origin headers How can I Access-Control-Allow-Origin on signalR C# angular5 Setting "Access-Control-Allow-Origin" to a specific origin still allowing other domains to access the page How to force Access-Control-Allow-Origin in an IIS hosted C# webservice Access-Control-Allow-Origin header contains multiple values *, * Why I get No 'Access-Control-Allow-Origin'? MVC Access-Control-Allow-Origin Azure No 'Access-Control-Allow-Origin' header No 'Access-Control-Allow-Origin' header in Azure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM