6

Seems like such a simple question but I can't find the answer and so leads me to believe maybe I don't have control of the flag!?

Context:

I'm developing a SignalR hub and client. All works great if (on the signalr site) I set the following in the config:

<system.webServer>
   <httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="http://example.com" />
     </customHeaders>
   </httpProtocol>
 </system.webServer>

The problem is that I'd like use the wildcard here.

When I do (i.e. value="*"), I get the following error (on the client):

A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true.

I could well be missing something simple here, but I can't find a relevant config entry that would allow me to set the credentials flag.

What I've Tried

<add name="Access-Control-Allow-Credentials" value="false"/>

Didn't seem to make a difference (same error).

1 Answers1

3

I believe your client is submitting credentials. CORS does not allow credentials to be included in a wildcard matching set up.

This question outlines it fairly well.

Edit:

This is an even better answer responding to a similar question and linking to the one I referenced. And furthermore, this will be a good place to read

Community
  • 1
  • 1
TheNorthWes
  • 2,661
  • 19
  • 35
  • Thanks very much for your reply, this is a bit of a show stopper so I appreciate your help. The problem, then, is with the client submitting credentials. I need to open the cross-domain requests up to anybody (this is a site that will ultimately sit inside a mobile app, so I can't determine the domain). Any idea how/how I prevent the client submitting credentials? That question seems to be more concerned with sorting out the access-control-allow-credentials header. –  Jan 15 '15 at 16:24
  • "Sit inside a mobile app?" XHR is only triggered within browsers. Anyone could fake the headers to appear to be originating from another domain. XHR and CORS is really only to allow a web page to request off to another resource, without exposing everyone on the web to XSS and those kinds of attacks. – TheNorthWes Jan 15 '15 at 16:25
  • Well as I'm developing, I can specify my domain explicitly (i.e. `localhost:1234`), I know that's where my client is. However, one of the signalR clients will be a page in a phonegap app (in a webview) (i.e. a browser on a mobile), so I don't know how I'd specify the domain for that. –  Jan 15 '15 at 16:26
  • EDIT: I may have just confused myself there. Basically, I need any client anywhere to connect to my signalr hub. I'm not sure how I could offer the hub so widely whilst listing all of the domains. –  Jan 15 '15 at 16:28
  • I think... your original question is answered. And now you have another which appears to be answered [here](http://stackoverflow.com/questions/9103876/cors-cookie-credentials-from-mobile-webview-loaded-locally-with-file) – TheNorthWes Jan 15 '15 at 16:30
  • Thanks a lot for your help, I'll have a good read of that link, but I'm still unsure on how to stop the submission of credentials from my client. I can get this working for development's sake by listing the domains in the hub's config, but I need to use the wildcard. –  Jan 15 '15 at 16:35
  • I suppose we can forget the mobile app for now, I mentioned that for the sake of providing context. I basically need any client to call it. –  Jan 15 '15 at 16:36
  • 1
    Well do you need authentication to your server? Because its the negotiation where you're client preflights and says "I'm coming from this domain, and with these credentials" and then the server says well wait that's not ok wildcard in my CORS allows. – TheNorthWes Jan 15 '15 at 16:37
  • 1
    Alternatively you can use [JSONP](http://en.wikipedia.org/wiki/JSONP) but I don't know how nice that's going to integrate with SignalR – TheNorthWes Jan 15 '15 at 16:39
  • Again, I really appreciate your help, but I'm getting a little lost now. I'm failing to even see how listing domains would even work in the config file as surely this javascript is always on the domain of a client?? I list "http://localhost:1234" in the config file - but I'm not making these calls from a server!? –  Jan 15 '15 at 16:46
  • You whitelist the domains that are allowed to talk to you. IE I can't host a webpage at admiralAdama.com and request resources in my HTML served to the client, that are on a different domain. That is a clear sign to the browser that Cross Site Scripting is going on. Your "app" should have some domain, but I am seeing references to //file being ignored in CORS and causing errors. If it really runs at localhost:1234 then you may just have to whitelist that "domain" – TheNorthWes Jan 15 '15 at 16:50
  • I understand a little bit more, thanks. But I don't understand how the server I'm making cross-domain requests to is aware of the domain the client script (which makes the request) came from. It's not local to the client's machine, so is it's domain no longer server-related, is it? Thanks again, I know I'm asking many questions. You've been very helpful so far. –  Jan 15 '15 at 17:19
  • 1
    Browsers automatically add it. To prevent XSS its part of the HTTP / Browser specs – TheNorthWes Jan 15 '15 at 17:20
  • 1
    Ah right, if browsers automatically add it (to be passed as part of the request I assume), then I see how that now relates to you saying it can be easily faked. I suppose my approach should now be to whitelist the domains of which I have control (i.e. all of the web pages), and the 'app' problem I'll tackle separately. In which case, you've answered my question. Again, much appreciated mate. –  Jan 15 '15 at 17:22
  • I'm not seeing the answer to the original question: How do I set the credentials flag to false? Assuming I'm in a dev environment and have no security concerns, how do I just set the flag to false? – Seanonymous May 13 '16 at 23:40