Updating Web.config with CORS and Multiple Domains

Published by Don Pavlik on

This problem is not a new one; you have one server that you want to allow select few domains to access. CORS allows you to allow all (*) or a single targeted domain, but each has its restrictions which you can read more about here: (https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/#).

We could not use *, to allow everyone to connect, because we wanted to enforce credential pass through. So the default way IIS and web.configs for adding a domain via Access-Control-Allow-Origin header failed to meet our needs. Doing some research, I found a Stackoverflow article (https://stackoverflow.com/questions/17323350/access-control-allow-origin-with-multiple-domains) on how you could solve the problem in two ways:

  1. Add code to your global.asmx and have it check if that origin is in a defined list in your code/config. Then dynamically add that domain to the Access-Control-Allow-Origin header. 
  2. Use URL Rewrite to check for the domain and add it to the origin.

I thought about the first option briefly, but it quickly fell out a favor because the target for this was one single environment. Option two allowed me to update a specific environment the conditional code, and we could keep track of those environments on a watch list for any security concerns.

Steps followed to implement this solution:

  1. Download and install URL Rewrite from Microsoft (https://www.iis.net/downloads/microsoft/url-rewrite)
  2. Update the web.config the defined snippet
<system.webServer>
   <httpProtocol>
     <customHeaders>
         <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
         <add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS,PUT,DELETE" />
     </customHeaders>
   </httpProtocol>
        <rewrite>
            <outboundRules>
                <clear />
                <rule name="AddCrossDomainHeader">
                    <match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true">
                        <add input="{HTTP_ORIGIN}" pattern="(https:\/\/((.+\.)?(domain1|domain2)\.(com|org|net)))" />
                    </conditions>
                    <action type="Rewrite" value="{C:0}" />
                </rule>
            </outboundRules>
        </rewrite>
 </system.webServer>

I used the code snippet nearly verbatim, except the regex pattern. I updated to the suggested pattern defined in the comments as well as making the protocol be strictly https.

So far am pleased with the solution, I am keeping an eye out for the possible issue of caching, as mentioned in the article. However, I have not seen any caching issues with the limited amount of testing done.

Categories: ReferenceSecurity
Tags:

Related Posts

Reference

Getting Ubuntu Installed on Windows without Using the Windows Store

For the build of Windows 17134.950 and with the Windows Store disabled, I have found out how to install Linux for the WSL feature. To enable the WSL feature, I suggest following the PowerShell steps Read more…

Cheatsheet

Notes from “Play by Play Modern Web Security Patterns”

Notes on somethings that we need to make sure are in place to protect our users from malicious code.