7

Is there anyway to allow multiple cross-domains using Access-Control-Allow-Origin in the web.config file?

Currently I am using * to allow multiple domains at once.

<add name="Access-Control-Allow-Origin" value="*" />

But I don't want to use * because it's open for all domains and I only want to allow some specific domains.

So,there anyway to allow multiple cross-domains using the Access-Control-Allow-Origin in web.config file?

I found some related posts:

I already tried to get the request header to validate the request origin (As suggested in post 1) but was unsuccessful. Because I am using an iframe element, when I try to get the request header, it provides the origin (domain) of the iframe. But here I want the original (parent window) origin (domain).

Community
  • 1
  • 1
Ishan Jain
  • 8,063
  • 9
  • 48
  • 75
  • https://learn.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference Microsoft provides an IIS module after several years. – Lex Li Jul 07 '18 at 05:06

2 Answers2

1

For IIS 7.5+ you can use IIS CORS Module: https://www.iis.net/downloads/microsoft/iis-cors-module

Your web.config should be something like this replacing [origin_#] for your domains:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
            <add origin="[origin_1]">
                <allowMethods>                    
                    <add method="GET" />
                    <add method="HEAD" />
                    <add method="POST" />
                    <add method="PUT" /> 
                    <add method="DELETE" /> 
                </allowMethods>
            </add>
            <add origin="[origin_2]">
                <allowMethods>
                    <add method="GET" />
                    <add method="HEAD" />
                    <add method="POST" />
                    <add method="PUT" /> 
                    <add method="DELETE" /> 
                </allowMethods>
            </add>
        </cors>
    </system.webServer>
</configuration>

You can find the configuration reference in here: https://learn.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference

Mario Arturo
  • 347
  • 3
  • 9
0

I think the first method should work , but lets have a closer look on the iframe issue

is it possible to get the iframe parent document ? yes it is possible.

if you check this , you will find that document.referrer should work inside your iframe.

hence the first solution should be valid.

Community
  • 1
  • 1
ProllyGeek
  • 15,517
  • 9
  • 53
  • 72