Change global asp.net WebApiConfig before request

Question

I've got a C# Web-API and at Application_Start() i configure the routes, formatters and cors domains. My problem is, that based on the request-origin, I have to add more domains to the cors-domains. (e.g. if the request comes from 123.com there are mor cors domains than from asd.com) I thought of adding the additional cors-domains in Application_BeginRequest:

    void Application_BeginRequest(Object source, EventArgs e)
    {
        HttpApplication app = (HttpApplication)source;
        HttpContext context = app.Context;

        // Attempt to peform first request initialization
        FirstRequestInitialization.Initialize(context);

        var corsDomains = Settings.Default.CORS_Domains;
        if (originheader.equals("somevalue"))
        {
            corsDomains += ", " + Settings.Default.CORS_SomeValue_Domains;
        }

        var cors = new EnableCorsAttribute(corsDomains, "*", "*")
        {
            SupportsCredentials = true
        };
        HttpConfiguration config = //where to get config?
        config.EnableCors(cors); 
    }

Is there a way to retrieve and change the config? Thank you very much for your help.

Edit: Maybe an example can clarify what I need:

request comes from asdf.org: cors-domains should be: base.com, home.org, jkl.net (but NOT qwer.com)

request comes from test.com: cors-domains should be: base.com, home.org, qwer.com (but NOT jkl.net)

in the Settings.Default, I have multiple lists:

CORS_BASE: base.com, home.org

CORS_ASDF: jkl.net

CORS_TEST: qwer.com

how can I add the additional list to the cors domains, according to the origin of the request?

If you want to allow all just keep "*". If you need to add clients on fly and keep control, move the CORS list to .config file, and do increments when needed — Fals, Dec 13 '17 at 13:31
I don't want to allow all, therefore i use the "corsDomains" string. The list of this domains is in the config file, but there are multiple lists (a "base" one for every domain, and additional ones, based on the requests origin) means like: origin a should be allowed for cors from list base and list a, but not list b.. origin b should be allowed for cors from list base and b, but not from list a. — kappadoky, Dec 13 '17 at 13:38
You should exemplify better you problem then. Looks like you need Black List X White list for domains accessing the API. Give us a better explanation — Fals, Dec 13 '17 at 13:40
@Fals I added an example, that hopefully helps to clarify my problem — kappadoky, Dec 13 '17 at 14:19
Makes no sense to add any domain based on the request, its the same as allowing all of them. You should allow by black listing or white listing. You must keep this list somewhere. — Fals, Dec 13 '17 at 16:15
@Fals why doesn't it make sense? if got to different web-apps that use my api. they need two different lists of cors domains. I'm whitelisting the domains. but the whitelist should be different, depending on where the request comes from. — kappadoky, Dec 13 '17 at 17:26

Change global asp.net WebApiConfig before request

0 Answers0