Request based CORS policies

[TehWardy]

In order to get CORS working over signalr for my content management system that has a list of supported domains in the DB needs a means to examine the request and auto respond to OPTIONS requests with the current domain being allowed so that the follow on call can decide what is and isn't actually allowed for the current user on the requested domain.

The background here is that my CMS hosts multiple sites in the same db with a table containing the list of sites supported (which isn't small).
An api call can be made to add a new site / domain so I can't hard code a list of known domains on start and to my knowledge there's no guidance on how to dynamically add new CORS policies at runtime during a HTTP request.
For performance reasons I can't keep going back to the database on every options request anyway so I'd like to default to all options requests telling the client that their domain is allowed for cross domain calls with credentials.

I would like a means to say something like this ...

app.UseCors(builder =>
{
    builder.AllowAnyHeader();
    builder.AllowAnyMethod();
    builder.AllowRequestedOrigin();
    builder.AllowCredentials();
});

.... or maybe something like ...

app.UseCors(builder =>
{
    builder.AllowAnyHeader();
    builder.AllowAnyMethod();
    builder.AllowOrigin(request => true);
    builder.AllowCredentials();
});

... since what i effectively want is "No Cors failures for any request on any domain with credentials" but no browser will accept that and the framework won't allow me to configure that due to the way the standard works I accept here that I am deliberately asking for what might be considered a "security risk" from the standards point of view but I am mitigating that in the actual request so I am not concerned about this.

Others have suggested putting things like a list of domains in to the config file but this would simply bloat out my configs to an unusable level due to the number of domains being manged by the application.

background information ...

I have a single API application that responds to calls on "api.mydomain.com" then I have a front end application that accepts calls from any domain forwarded to the server that makes API calls to get details of a page to render.

The rendered page then has javascript on it that may fire up signalr components using standardised hubs in the API.

For this reason I can't "pre-configure" a set of accepted domains as is documented,
Hitting the db for a request that I will always accept is pointless.

[dcarr42]

builder.AllowOrigin(request => true);

This is supported with SetIsOriginAllowed

[TehWardy]

Oh ok ... did not know that!
Side question ...

In configure services I will now have ...

services.AddCors(options => options.AddDefaultPolicy(builder => {
                builder.AllowAnyHeader();
                builder.AllowAnyMethod();
                builder.SetIsOriginAllowed(origin => true);
                builder.AllowCredentials();
            }))

and in configure i have ...

app.UseCors(builder =>
{
    builder.AllowAnyHeader();
    builder.AllowAnyMethod();
    builder.SetIsOriginAllowed(origin => true);
    builder.AllowCredentials();
});

... do i need both or is this not just basically repetition at least at some level?

[dcarr42]

YMMV on this one. If you are using attribute based config then policy will take effect. Pure middleware can be configured through use of a policy or ad hoc as in your example.

[pranavkm]

IdentityServer4 does something like this by implementing ICorsPolicyProvider. Here's relevant pieces of code:

• https:/IdentityServer/IdentityServer4/blob/44651bea9b02c992902639b21205f433aad47d03/src/IdentityServer4/src/Hosting/CorsPolicyProvider.cs#L17
• https:/IdentityServer/IdentityServer4/blob/56eaba86deb8709f16604dd3188a7c4bfe83e758/src/EntityFramework.Storage/src/Services/CorsPolicyService.cs

I would generally advise against all origins when you allow credentials. It has a known XSS vulnerability: #3106

[pranavkm]

Closing as this has been answered.