Limiting CORS in CDA?

Vote:
 

Hi

I'm trying to get started with the Content Delivery Api, and have a question regarding CORS. I installed the CDA NuGet packages, added the initialization part in ConfigureContainer, and got the site up and running on localhost. When I try to call the api from a browser, I see from the response header, that it allows cross-site calls:

Access-Control-Allow-Headers: *

This seems to be set by the Content Delivery Api somewhere, and I'm unsure how to change this from code (I can append headers, but not modify existing).

Can this be changed somehow?

Using Content Delivery Api v. 2.17.0.

#247852
Jan 29, 2021 7:01
Vote:
 

Isn't it the whole point of Content Delivery API to use Episerver as content Hub on separate WebApp and Front-end will be on different web App. 

#248277
Feb 06, 2021 23:46
Vote:
 

Hi Bo,

You should be able to modify the ASP.NET response headers in the AddOnSendingHeaders so in your begin reques handler you would add the AddOnSendingHeaders and in that handler you could look at the response headers and add or remove them as you see fit.

But have you tried to configure the CORS with a CORS-policy: https://docs.microsoft.com/en-us/previous-versions/aspnet/dn314684(v=vs.118)#corshttpconfigurationextensionsenablecors-method-httpconfiguration ?

#248304
Feb 08, 2021 8:13
Vote:
 

@Antti: yes, I did try that, but could only add to header, not change existing.

Solution was to override GetOrCreatePolicy in EPiServer.ContentApi.Core.Security.Internal.CorsPolicyService (in a custom service), set the CORS-policy, and then re-register the service (with AddSingleton).

#248318
Feb 08, 2021 10:16
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.